Anyconnect Domain Name Resolution

Posted onby
  1. Cisco Anyconnect Domain Name Resolution
  2. Anyconnect Vpn Unsuccessful Domain Name Resolution
  3. Cisco Anyconnect Domain Name Resolution
  4. Cisco Anyconnect Failed Unsuccessful Domain Name Resolution Mac
  5. Cisco Anyconnect Domain Name Resolution Error

Introduction

Uniform Domain Name Dispute Resolution Policy — The Uniform Domain Name Dispute Resolution Policy (UDRP) is a process established by the Internet. AnyConnect failes to connect due to unsuccessful domain name resolution. Posted by 7 months ago. Take the dns of your ISP and under nslookup, type the domain name of your anyconnect vpn host. See if it resolves the actual IP address as expected. Get the user to perhaps also tether through their mobiles to check as well.

This document describes how different Operating Systems (OSs) handle Domain Name System (DNS) queries and the affects on domain name resolution with Cisco AnyConnect and split or full tunneling.

Split Versus Standard DNS

When you use split-include tunneling, there are three options for DNS:

  1. Split DNS - The DNS queries which matches the domain names, are configured on the Cisco Adaptive Security Appliance (ASA). They move through the tunnel (to the DNS servers that are defined on the ASA, for example) while others do not.
  2. Tunnel-all-DNS - Only DNS traffic to the DNS servers which are defined by the ASA is allowed. This setting is configured in the group policy.
  3. Standard DNS - All of the DNS queries move through the DNS servers which are defined by the ASA. In the case of a negative response, the DNS queries might also go to the DNS servers which are configured on the physical adapter.

Note: The split-tunnel-all-dns command was first implemented in ASA Version 8.2(5). Before this version, you could only do split DNS or standard DNS.

In all cases, the DNS queries which are defined to move through the tunnel, go to any DNS servers which are defined by ASA. If there are no DNS servers defined by the ASA, then the DNS settings are blank for the tunnel. If you do not have split DNS defined, then all of the DNS queries are sent to the DNS servers which are defined by the ASA. However, the behaviors that are described in this document can be different, depending upon the Operating System (OS).

Note: Avoid the use of the NSLookup when you test the name resolution on the client. Instead, rely on a browser or use the ping command. This is because NSLookup does not rely on the OS DNS resolver. AnyConnect does not force the DNS request via a certain interface but allows it or rejects it dependent upon the split DNS configuration. In order to force the DNS resolver to try an acceptable DNS server for a request, it is important that split DNS testing is only performed with applications that rely on the native DNS resolver for domain name resolution (all applications except NSLookup, Dig, and similar applications that handle DNS resolution by themselves, for example).

True Versus Best Effort Split DNS

Anyconnect Domain Name Resolution

AnyConnect Release 2.4 supports split DNS Fallback (best effort split DNS), which is not the true split DNS and is found in the legacy IPsec client. If the request matches a split DNS domain, AnyConnect allows the request to be tunneled into the ASA. If the server cannot resolve the host name, the DNS resolver continues and sends the same query to the DNS server that is mapped to the physical interface.

On the other hand, if the request does not match any of the split DNS domains, AnyConnect does not tunnel it into the ASA. Instead, it builds a DNS response so that the DNS resolver falls back and sends the query to the DNS server that is mapped to the physical interface. That is why this feature is not called split DNS, but DNS fallback for split tunneling. Not only does AnyConnect assure that only requests that target split DNS domains are tunneled in, it also relies on the client OS DNS resolver behavior for host name resolution.

This raises security concerns due to a potential private domain name leak. For example, the native DNS client can send a query for a private domain name to a public DNS server specifically when the VPN DNS name server could not resolve the DNS query.

Refer to Cisco bug ID CSCtn14578, currently resolved on Microsoft Windows only, as of Version 3.0(4235). The solution implements true split DNS, it strictly queries the configured domain names that matches and are allowed to the VPN DNS servers. All other queries are only allowed to other DNS servers, such as those configured on the physical adapter(s).

Tunnel All and Tunnel All DNS

When split tunneling is disabled (the tunnel all configuration), DNS traffic is allowed strictly via tunnel. The tunnel all DNS configuration (configured in the group policy) sends all of the DNS lookups through the tunnel, along with some type of split tunneling, and DNS traffic is allowed strictly via tunnel.

This is consistent across platforms with one caveat on Microsoft Windows: when any tunnel all or tunnel all DNS is configured, AnyConnect allows DNS traffic strictly to the DNS servers that are configured on the secure gateway (applied to the VPN adapter). This is a security enhancement implemented along with the previously mentioned true split DNS solution.

If this proves problematic in certain scenarios (for example, DNS update/registration requests must be sent to non-VPN DNS servers), then complete these steps:

  1. If the current configuration is tunnel all, then enable split-exclude tunneling. Any single-host, split-exclude network is acceptable for use, such as a link-local address.
  2. Ensure that tunnel all DNS is not configured in the group policy.

DNS Performance Issue Resolved in AnyConnect Version 3.0(4235)

This Microsoft Windows issue is mostly prevalent under these conditions:

  • With the home router setup, the DNS and DHCP servers are assigned the same IP address (AnyConnect creates a necessary route to the DHCP server).
  • A large number of DNS domains are in the group policy.
  • A Tunnel-all configuration is used.
  • The name resolution is performed by a non-qualified host name, which implies that the resolver must try a number of DNS suffixes on all of the available DNS servers until the one relevant to the queried host name is attempted.

This issue is due to the native DNS client that attempts to send DNS queries via the physical adapter, which AnyConnect blocks (given the tunnel-all configuration). This leads to a name resolution delay that can be significant, especially if a large number of DNS suffixes are pushed by the headend. The DNS client must walk through all of the queries and available DNS servers until it receives a positive response.

This problem is resolved in AnyConnect Version 3.0(4235). Reference Cisco bug IDs CSCtq02141 and CSCtn14578, along with the introduction to the previously-mentioned true split DNS solution, for more information.

If an upgrade cannot be implemented, then these are the possible workarounds:

  • Enable split-exclude tunneling for an IP address, which allows the local DNS requests to flow through the physical adapter. You can use an address from the linklocal subnet 169.254.0.0/16 because it is unlikely that any device sends traffic to one of those IP addresses over the VPN. After you enable the split-exclude tunneling, enable local LAN access on the client profile or on the client itself, and disable tunnel all DNS.
    On the ASA, make these configuration changes:
    On the client profile, you must add this line:
    You can also enable this on a per-client basis in the AnyConnect client GUI. Navigate to the AnyConnect Preference menu, and check the Enable local LAN access check-box.
  • Use the fully qualified domain names (FQDNs) instead of the unqualified host names for the name resolutions.
  • Use a different IP address for the DNS server on the physical interface.

DNS with Split Tunneling on Different OSs

Different OSs handle DNS searches in different ways when used with split tunneling (without split DNS) for AnyConnect. This section describes those differences.

Microsoft Windows

On Microsoft Windows systems, DNS settings are per-interface. If split tunneling is used, DNS queries can fall back to the physical adaptor DNS servers after they fail on the VPN tunnel adaptor. If split tunneling without split DNS is defined, then both internal and external DNS resolution works because it falls back to the external DNS servers.

There has been a change in behavior in the DNS handling mechanism on AnyConnect for Windows, in release 4.2 after the fix for CSCuf07885.


Windows 7+

Tunnel-all configuration (and split-tunneling with tunnel-all DNS enabled)

Cisco Anyconnect Domain Name Resolution


Pre AnyConnect 4.2:

Anyconnect Vpn Unsuccessful Domain Name Resolution

Only DNS requests to DNS servers configured under the group-policy (tunnel DNS servers) are allowed. The AnyConnect driver responds to all other requests with a 'no such name' response. As a result, DNS resolution can only be performed using the tunnel DNS servers.


AnyConnect 4.2 +

DNS requests to any DNS servers are allowed, as long as they are originated from the VPN adapter and are sent across the tunnel. All other requests are responded with 'no such name' response, and DNS resolution can only be performed via the VPN tunnel

Prior to CSCuf07885 fix, AC restricts the target DNS servers, however with the fix for CSCuf07885, it restricts which network adapters can initiate DNS requests.


Split-include configuration (tunnel-all DNS disabled and no split-DNS)

AnyConnect driver does not interfere with the native DNS resolver. Therefore, DNS resolution is performed based on the order of network adapters where AnyConnect is always the preferred adapter when VPN is connected. Moreover, a DNS query is first sent via the tunnel and if it does not get resolved, the resolver attempts to resolve it via public interface. The split-include access-list includes the subnet which covers the Tunnel DNS server(s). To start with AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include networks (secure routes) by the AnyConnect client, and therefore the split-include access-list no longer requires explicit addition of the tunnel DNS server subnet.


Split-exclude configuration (tunnel-all DNS disabled and no split-DNS)

AnyConnect driver does not interfere with the native DNS resolver. Therefore, DNS resolution is performed based on the order of network adapters where AnyConnect is always the preferred adapter when VPN is connected. Moreover, a DNS query is first sent via the tunnel and if it does not get resolved, the resolver attempts to resolve it via public interface. The split-exclude access-list should not include the subnet covering the Tunnel DNS server(s). To start with AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include networks (secure routes) by the AnyConnect client, and therefore prevents the misconfiguration in the split-exclude access-list.


Split-DNS (tunnel-all DNS disabled, split-include configured)


Pre AnyConnect 4.2

DNS requests, which matches with the split-dns domains are allowed to tunnel DNS servers, but are not allowed to other DNS servers. To prevent such internal DNS queries from leaking out the tunnel, the AnyConnect driver responds with 'no such name' if the query is sent to other DNS servers. Therefore, the split-dns domains can only be resolved via tunnel DNS servers.

DNS requests, which does not match with the split-dns domains are allowed to other DNS servers, but are not allowed to tunnel DNS servers. Even in this case, the AnyConnect driver responds with 'no such name' if a query for non split-dns domains is attempted via tunnel. Therefore, the non split-dns domains can only be resolved via public DNS servers outside the tunnel.


AnyConnect 4.2 +

DNS requests, which matches with the split-dns domains are allowed to any DNS servers, as long as they originate from the VPN adapter. If the query is originated by the public interface, AnyConnect driver responds with a 'no such name' to force the resolver to always use the tunnel for name resolution. Therefore, the split-dns domains can only be resolved via tunnel.

DNS requests, which does not match with the split-dns domains are allowed to any DNS servers as long as they originate from the physical adapter. If the query is originated by the VPN adapter, AnyConnect responds with 'no such name' to force the resolver to always attempt the name resolution via the public interface. Therefore, the non split-dns domains can only be resolved via public interface.

Mac OSx

On Macintosh systems, the DNS settings are global. If split tunneling is used, but split DNS is not used, it is not possible for the DNS queries to reach DNS servers outside of the tunnel. You can only resolve internally, not externally.

This is documented in Cisco bug IDs CSCtf20226 and CSCtz86314. In both cases, this workaround should resolve the issue:

  • Specify an external DNS server IP address under the group policy and use a FQDN for the internal DNS queries.
  • If the external names are resolvable through the tunnel, then navigate to Advanced > Split Tunneling and disable split DNS via removal of the DNS names that are configured in the group policy. This requires the use of a FQDN for the internal DNS queries.

The split DNS case is resolved in AnyConnect Version 3.1. However, you must ensure that one of these conditions is met:

  • Split DNS must be enabled for both IP protocols, which requires Cisco ASA Version 9.0 or later.
  • Split DNS must be enabled for one IP protocol. If you run Cisco ASA Version 9.0 or later, then use client bypass protocol for the other IP protocol. For example, ensure that there is no address pool and that Client Bypass Protocol is enabled in the group policy. Alternatively, if you run an ASA version which is earlier than Version 9.0, ensure that there is no address pool configured for the other IP protocol. This implies that the other IP protocol is IPv6.

Note: AnyConnect does not change the resolv.conf file on Macintosh OS X, but rather changes OS X-specific DNS settings. Macintosh OS X keeps the resolv.conf file current for compatibility reasons. Use the scutil --dns command in order to view the DNS settings on Macintosh OS X.

Tunnel-all configuration (and split-tunneling with tunnel-all DNS enabled)

When AnyConnect is connected, only Tunnel DNS servers are maintained in the system DNS configuration, and therefore DNS requests can only be sent to the Tunnel DNS server(s).

Split-include configuration (tunnel-all DNS disabled and no split-DNS)

AnyConnect does not interfere with the native DNS resolver. The tunnel DNS servers are configured as preferred resolvers, which takes precedence over public DNS servers, thus it ensures that the initial DNS request for a name resolution is sent over the tunnel. Since DNS settings are global on Mac OS X, it is not possible for DNS queries to use public DNS servers outside the tunnel as documented in CSCtf20226 . To start with AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include networks (secure routes) by the AnyConnect client, and therefore the split-include access-list no longer requires explicit addition of the tunnel DNS server subnet.


Split-exclude configuration (tunnel-all DNS disabled and no split-DNS)


AnyConnect does not interfere with the native DNS resolver. The tunnel DNS servers are configured as preferred resolvers, taking precedence over public DNS servers, thus it ensures that the initial DNS request for a name resolution is sent over the tunnel. Since DNS settings are global on Mac OS X, it is not possible for DNS queries to use public DNS servers outside the tunnel as documented in CSCtf20226 . To start with AnyConnect 4.2, host routes for the Tunnel DNS server(s) are automatically added as split-include networks (secure routes) by the AnyConnect client, and therefore the split-include access-list no longer requires explicit addition of the tunnel DNS server subnet.


Split-DNS (tunnel-all DNS disabled, split-include configured)

Anyconnect Domain Name Resolution


If split-DNS is enabled for both IP protocols (IPv4 and IPv6) or it's only enabled for one protocol and there is no address pool configured for the other protocol:
True split-DNS, similar to Windows, is enforced. True split-DNS means that request which matches with the split-DNS domains are only resolved via the tunnel, they are not leaked to DNS servers outside the tunnel.
If split-DNS is enabled for only one protocol and a client address is assigned for the other protocol, only DNS fallback for split-tunneling is enforced. This means AC only allows DNS request which matches the split-DNS domains via tunnel (other requests are replied by AC with 'refused' response to force failover to public DNS servers), but cannot enforce the request which matches with the split-DNS domains that are not sent in the clear, via public adapter.

Linux

Tunnel-all configuration (and split-tunneling with tunnel-all DNS enabled)

When AnyConnect is connected, only Tunnel DNS servers are maintained in the system DNS configuration, and therefore DNS requests can only be sent to the Tunnel DNS server(s).

Split-include configuration (tunnel-all DNS disabled and no split-DNS)

AnyConnect does not interfere with the native DNS resolver. The tunnel DNS servers are configured as preferred resolvers, which takes precedence over public DNS servers, thus it ensures that the initial DNS request for a name resolution is sent over the tunnel.


Split-exclude configuration (tunnel-all DNS disabled and no split-DNS)


AnyConnect does not interfere with the native DNS resolver. The tunnel DNS servers are configured as preferred resolvers, which takes precedence over public DNS servers, thus it ensures that the initial DNS request for a name resolution is sent over the tunnel.


Split-DNS (tunnel-all DNS disabled, split-include configured)


If split-DNS is enabled, only DNS fallback for split-tunneling is enforced. This means AC only allows DNS request which matches with the split-DNS domains via tunnel (other requests are replied by AC with 'refused' response to force failover to public DNS servers), but cannot enforce that request which matches with the split-DNS domains that are not sent in the clear, via the public adapter.

iPhone

The iPhone is the complete opposite of the Macintosh system and is not similar to Microsoft Windows. If split tunneling is defined but split DNS is not defined, then DNS queries exit through the global DNS server that is defined. For example, split DNS domain entries are mandatory for internal resolution. This behavior is documented in Cisco bug ID CSCtq09624 and is fixed in Version 2.5.4038 for the Apple iOS AnyConnect client.

Note: Be aware that the iPhone DNS queries ignore .local domains. This is documented in Cisco bug ID CSCts89292. Apple engineers confirm that the issue is caused by the functionality of the OS. This is the designed behavior, and Apple confirms there is no change for it.

Related Information

  • CSCsv34395 - Add support in AnyConnect for proxying the FQDN to DHCP server
  • CSCtn14578 - AnyConnect to support true split DNS; not fallback
  • CSCtq02141 - AnyConnect DNS issue when ISP DNS is on same subnet as Public IP
  • CSCtn14578 - AnyConnect to support true split DNS; not fallback
  • CSCtf20226 - Make AnyConnect DNS w/ split tunnel behavior for Mac same as windows
  • CSCtz86314 - Mac: DNS queries incorrectly not sent via the tunnel with split DNS
  • CSCtq09624 - Make AnyConnect iPhone DNS w/ split tunneling behavior same as Windows
  • CSCts89292 - AC for iPhone DNS queries ignore .local domains
  • Cisco IOS Firewall

Topics Map > Networking > Virtual Private Networking (VPN)

This page contains links to download and installation instructions for VPN software for other operating systems.

Technology Services supports the Cisco AnyConnect VPN client on operating systems that are supported by Cisco. Support is provided for Windows 7, and 8 for x86 processors only, and Windows 10 for both x86 and ARM processors; Mac OS X 10.14, 10.15, 11; Some versions of linux; iOS (iPhone and iPad); Android; Kindle; For other mobile devices - check the App store.

However, you may be able to configure your system to connect to the Virtual Private Network (VPN) server if your system offers a compatible VPN client.

To construct your own VPN connection method, you should configure your VPN client as follows:

  • VPN server: vpn.illinois.edu
  • Username: Your NetID
    (or, if you're a guest, your guest ID)
  • Password: Your Active Directory password
    (or, if you're a guest, your guest password)
  • Group: 1_SplitTunnel_Default
    (Note: This is the most common choice, but you may want the Tunnel All profile for Library access. See About VPN Profiles for information about the alternatives.)
  • Authentication Domain Name: none
  • On some Linux variants, you may need to add additional configuration information:
    Refuse 40-bit encryption
    Require Microsoft Point to Point Encryption [MPPE]

Cisco Anyconnect Domain Name Resolution

These guidelines are available for reference, but you will need to work out the configuration of your own system and its VPN client.

Cisco Anyconnect Failed Unsuccessful Domain Name Resolution Mac

Travelers: If you have another Cisco VPN software client installed on your computer already, you may be able to connect to the University VPN server using a guest account and that software.

Cisco Anyconnect Domain Name Resolution Error

Campus community members can share their knowledge about their devices at Community-developed VPN configurations. (external link) (Log in with your NetID and AD password to read and contribute.)