Tuesday, August 31, 2021

Cisco AnyConnect DNS weirdness

Hello everyone. I configured Cisco AnyConnect with a split tunnel, and users have noticed that DNS lookups fail in some cases. This may be because our computers send all DNS queries to both the DNS server via the tunnel and to the regular DNS server for the host, resulting in a negative lookup result from the local DNS server.

Today I implemented split DNS for the two domains we use for production equipment. This worked as expected for MacOS, but Windows users ran into the following issue: When a user tried to connect to a device using the FQDN, their computer would send a query only via the tunnel and get a (quick) response, but Putty, WinSCP, and Firefox would fail to use the DNS reply, and would complain that the host couldn't be found.

When I rolled back the split DNS changes, Windows users could resolve FQDNs as before. Has anyone run into this before and found a fix? I don't want to tunnel all DNS traffic b/c this would keep the AnyConnect sessions from ever timing out, and we don't really want to answer irrelevant DNS queries.



No comments:

Post a Comment