Thanks and that's the conclusion I have come to after looking at the configuration. However I am hesitant to block it until I understand it as these are very important users and I don't want to be the guy to cause them any problems.

Just to clarify, the two DNS servers in question were never configured in a group policy but somehow users are overriding the group policy settings.

A little more history is that the users in question had an Altiris push to hard code the two DNS servers in question for their LAN interfaces. The push shouldn't have touched the VPN interfaces but who knows? I was unable to easily hard code them on the Cisco VPN interfaces without also changing the IP address configuration which showed up as being hardcoded to 0.0.0.0. Maybe I'll play around with that today to at least understand how they are getting past the VPN group policy settings.

Well truth is that if there is no dns server pushed via the vpn attributes then the client will use the ones on the LAN. So if these dns servers were there and the vpn server does not send any other server ip it will use the ones on the LAN

Ah ha! That might align with a theory of mine. We do and always have had the two correct DNS servers configured in the default policy which I understand will be used by every other policy that doesn't have an explicit configuration for other servers. We do not have any other explicit DNS policies.

Based on traces from past issues we've found that (at least our Microsoft workstation build) only waits about a second before resending a query to the next server in line.

There would be frequent queries that would take longer than two seconds to resolve such as Internet queries that have not been cached and bogus queries which there will be no answer unless the domain is valid.

Do you think it would it be possible that the VPN users are sending queries to both of the VPN configured servers and then, when they don't get a timely response, send the query to the DNS servers configured on the LAN interfaces?

That's most likely to happen, so here it how it works.

If group policy has specific dns servers, those are pushed to the client

If no dns servers (atts) are defined on the particular policy, but defined on the default policy, those are pushed to the client

If there are not atts defined on any policy, then it should not inject any att to the vpn connection and instead use the local lan adapters setup.

Thanks and if I understand correctly, we are on the same page. I am going to do some testing to verify what we've discussed.

I got some very interesting results. I hard coded my DNS servers on my LAN interface and connected via the VPN. I then tried various methods of overriding the VPN DNS configuration and was not successful.

Interesting to me was that I changed the destination server in NSLOOKUP and sent some queries. The queries resolved properly but the snoop I was running on the Unix DNS server showed that I had not made any queries to it at all. I tested the snoop by pinging the server which proved I wasn't doing something wrong.

My only conclusion is that the ASA redirected my DNS query to one of two (or both) of the DNS servers configured in the policy.

This has me perplexed because I manage our DNS and if I direct a query to a particular server I need to know if the server is responding or not. Had I not done this test I would not have known that the Cisco VPN is of limited usefullness to me for DNS troubleshooting, at least for DNS queries sent directly from the VPN client workstation.

Is this the behavior you would expect?