Split-DNS value not passing to Mac OS X IPSec client

Unanswered Question
Jun 21st, 2009

I have a MacOS X IPSec client that isn't receiving the split-dns setup from my ASA 5505.

Here's the relevant data from my ASA device:

group-policy vpnpolicy attributes

wins-server none

dns-server value 192.168.1.3

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

default-domain value workdomain1.com

split-dns value workdomain1.com workdomain2.com.local

tunnel-group myvpn type remote-access

tunnel-group myvpn general-attributes

address-pool vpnpool

authentication-server-group vpn

authentication-server-group (inside) vpn

default-group-policy vpnpolicy

The second domain isn't being passed to the client. Here's the resolv.conf before/after IPSec connection:

mark-petersons-macbook-pro:~ peterson$ more /etc/resolv.conf

domain myhomedomain.net

nameserver 68.94.156.1

nameserver 151.164.8.201

/etc/resolv.conf (END)

mark-petersons-macbook-pro:~ peterson$ more /etc/resolv.conf

domain workdomain1.com

search workdomain1.com

nameserver 68.94.156.1

nameserver 151.164.8.201

/etc/resolv.conf (END)

Any ideas what the problem could be?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
smalkeric Mon, 06/29/2009 - 13:29

When an ISP's DNS server is included in the Split Tunneling Network List and Split DNS Names are configured, all DNS queries to domains other than those in the Split DNS Names list are not resolved.

By definition, split DNS is used so that only certain domains get resolved by corporate DNS servers, while rest go to public (ISP-assigned) DNS servers. To enforce this feature, the VPN Client directs DNS queries that are about hosts on the Split DNS Names list to corporate DNS servers, and discards all DNS queries that are not part of the Split DNS Names list.

The problem occurs when the ISP-assigned DNS servers are in the range of the Split Tunneling Network List. In that case, all DNS queries for non-split-DNS domains are discarded by the VPN Client.

To avoid this problem, remove the ISP-assigned DNS server from the range of the Split Tunneling Network List, or do not configure split DNS (CSCee66180).

petersonmd Mon, 06/29/2009 - 13:42

I'm not quite sure I understand. My home ISP is assigning me two DNS servers - 69.94.156.1 and 151.164.8.201. My corporate DNS server - as configured by my VPN settings on the ASA - is 192.168.1.3.

There is no overlap between my split-tunnel list and the 2 ISP-assigned DNS servers. The split-tunnel list includes 192.168.1.x, 192.168.2.x, 192.168.10.x, and 192.168.99.x. That's it. The problem is that the second domain that I've specified in my search list isn't being passed on to the client. I've even tried switching the order of the domains - no luck.

Any other suggestions?

ajamua Wed, 10/28/2009 - 12:27

Did you get any solutions for this problem? I am experiencing similar issue trying to configure split-dns for my sslVPN users using anyconnect vpn client version 2.3.2016.

tunderhay Thu, 11/05/2009 - 13:02

It is now on AnyConnect 2.4. From the release notes:

New Feature Overviews

The following sections describe the new features in Release 2.4:

•Split DNS Fallback

Split DNS Fallback

If the group policy on the security appliance specifies the names of the domains to be tunneled, AnyConnect tunnels only DNS queries that match those domains. It refuses all other DNS queries. The DNS resolver receives the refusal from the client and retries, this time using the public interface instead of AnyConnect.

This feature requires that you:

•Configure at least one DNS server

•Enable split-tunneling

drew@ekit-inc.com Tue, 03/23/2010 - 20:30

Seeing a similar issue with AnyConnect 2.4.1012.

Config I have on a IOS device works perfectly on a Windows client, but on a Mac OS X 10.5 client it's not playing ball.

In terminal, I can do a 'host' on a server that resides at the other end of the SSL VPN, but if I try and ping it, it's replying that the host is unknown:

(host names changed)

acid:~ drew$ ping www.internal.server.com

ping: cannot resolve www.internal.server.com: Unknown host

acid:~ drew$

acid:~ drew$ host www.internal.server.com
www.server.com is an alias for host.server.com.
host.server.com has address 192.168.1.1
host.server.com mail is handled by 0 mx1.server.com.
host.server.com mail is handled by 10 mx2.server.com.
resolv.conf looks fine:
domain server.com
search loc.server.com loc2.server.com server.com loc3.server.com loc4.server.com
nameserver 192.168.1.1
nameserver 192.168.1.2
nameserver 139.130.4.4 (external DNS)
nameserver 139.130.4.5 (external DNS)
All the configs on the IOS router are just using split dns svc's for the domains in the search so it should be happy.
As mentioned, works perfectly in windows but not in mac. Anyone have any ideas?
*edit*
I've updated to the 2.5 beta for intel and it's working now. Apparently there's some problem with 2.4 release not working with the IP stack for the lookup zones and dns servers. I'll stick with the beta until the official one is released.
charrellc011699 Wed, 06/02/2010 - 08:23

Any progress on this issue?  I have a MAC user that is experiencing the Split-DNS problem using the IPSEC client as well - only queries for names in the first domain in the Split-DNS list is actually being tunneled to the corporated DNS server.

Has anyone opened a TAC case to work this issue?

drew@ekit-inc.com Wed, 06/02/2010 - 18:38

I'm not having an issue with 2.5.0217 client now. They recently released this from Beta. Have you tried that?

sandervanloosbroek Thu, 08/05/2010 - 11:05

I opened a TAC case as the 2.5 client is still not working here. The Windows version works fine. Will keep you guys posted.

sandervanloosbroek Thu, 08/05/2010 - 14:01

Just got a reply from Cisco, this is a confirmed bug [CSCtf20226] in Mac OS X 10.6. Their workaround is to explicitly define external DNS servers. I used the Google public DNS servers and this indeed works as expected.

(config-webvpn-group)#svc dns-server primary  8.8.8.8

(config-webvpn-group)#svc dns-server secondary  8.8.4.4

Hope this helps anyone.

ferps Tue, 12/13/2011 - 15:10

Sander,

     I want to thank you.  You are a life-saver.  However, I want to go a step further in the solution you propose.  If you go to this link below, you will find a document titled "PIX/ASA: perform DNS Doctoring with the Static Command and Two NAT Interfaces"

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

     While the majority of the content doesn't pertain to this issue, there is a portion that most certainly does - under the heading "Split-DNS Configuration".  There, it tells you that you can create a domain list that specifies specififc domains - that if matched - will force ALL TRAFFIC FOR THAT DOMAIN through the tunnel.  Therefore, if you have services in your company that need to be accessed via VPN over the browser and you are experiencing issues due to the split-tunnel, create a domain list under the the tunnel's group-policy like this:

yourfirewall(config)# group-policy VPN-POLICY attributes

yourfirewall(config-group-policy)# split-dns yourcompany.com

yourfirewall(config-group-policy)# end

yourfirewall(config)#

Now, all traffic with a domain suffix of "yourcompany.com" will always be directed through the tunnel.  Remember that you need to define internal DNS servers under the policy as well if you intend to resolve those internal domain hostnames.

sandervanloosbroek Wed, 12/14/2011 - 00:57

Hi Fisher,

Appreciate the thanks, please rate my answer if it helped you so others can also find it quickly.

For this customer this wasn't an option as he doesn't run his own DNS. The network is too small to warrant that. That being said, your hint might prove useful in a different case. Thanks for the update!

S.

Actions

Login or Register to take actions

This Discussion

Posted June 21, 2009 at 10:19 AM
Stats:
Replies:12 Avg. Rating:
Views:7365 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard