Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Apple iphone/IPAD/Itouch DNS behavior with AnyConnect

3G Testing

For this testing, AnyConnect 2.4.4009 was used

default-domain:  abc.com

split-tunnel-list:  10.0.0.0/8, 172.16.0.0/16

Using safari browser

Scenario 1:  default domain defined, split tunneling defined, no split-dns defined

  • Browse to:  www.cnn.com - DNS was not sent to internal DNS server - resolved by external dns 3G server
  • Browse to:  fakeserver1 - DNS request for fakeserver1.abc.com was sent to internal dns server defined in group-policy.  When that dns server did not respond, safari changed the resolution to www.fakeserver1.com   resolution requests for www.fakeserver1.abc.com.abc.com were sent to the DNS server. 
  • Browse to:  haha.abc.com - DNS request for haha.abc.com was sent to internal dns server defined in group-policy.  When that dns server did not respond, resolution requests for haha.abc.com.abc.com were sent to the DNS server.
  • Browse to:  www - DNS request for www.abc.com was sent to internal dns server defined in group-policy.  When that dns server did not respond, safari changed the resolution to www.www.com and it was resolved externally by the 3G DNS servers.

Scenario 2:  default domain defined, split tunneling defined, split-dns defined

  • Browse to:  www.cnn.com - DNS was not sent to internal DNS server, resolved by external dns 3G server
  • Browse to:  fakeserver2:  DNS request for fakeserver2.abc.com was sent to internal dns server defined in group-policy.  When that dns server did not respond, safari switched the name to www.fakeserver2.com.  Then a request for www.fakeserver2.com.abc.com was sent to the internal DNS server
  • Browse to haha2.abc.com:  DNS request for haha2.abc.com was sent to internal dns server defined in group-policy.  Then a request for haha2.abc.com.abc.com  was sent to the internal DNS server
  • Browse to:  www - DNS request for www.abc.com was sent to internal dns server defined in group-policy.  When that dns server did not respond, safari changed the resolution to www.www.com and it was resolved externally by the 3G DNS servers

Scenario 3:   default domain defined, all traffic tunneled, no split-dns defined

  • Browse to:  www.cnn.com - DNS was  sent to internal DNS server, when that didn't respond, requests for www.cnn.com.abc.com were seen by internal dns server defined by the group-policy
  • Browse to:  fakeserver3:  DNS request for fakeserver3.abc.com was sent to internal dns server defined in group-policy. 
  • Browse to haha3.abc.com:  DNS request for haha3.abc.com was sent to internal dns server defined in group-policy.  Then a request for haha3.abc.com.abc.com  was sent to the internal DNS server
  • Browse to:  www - DNS request for www.abc.com was sent to internal dns server defined in group-policy.

Scenario 4:   default domain defined, all traffic tunneled, split-dns defined

  • Browse to:  www.cnn.com - DNS was  sent to internal DNS server, when that didn't respond, requests for www.cnn.com.abc.com were seen by internal dns server defined by the group-policy
  • Browse to:  fakeserver4:  DNS request for fakeserver4.abc.com was sent to internal dns server defined in group-policy. 
  • Browse to haha4.abc.com:  DNS request for haha4.abc.com was sent to internal dns server defined in group-policy.  Then a request for haha3.abc.com.abc.com  was sent to the internal DNS server
  • Browse to:  www - DNS request for www.abc.com was sent to internal dns server defined in group-policy.

Conclusions:

1)  you can't use split-dns with full tunneling to make DNS requests go to the 3G DNS server

2)  with split tunneling defined, only dns request for the default-domain or split-dns value are sent to the DNS server defined in the group-policy

3)  You will only see 'double dns suffix issues' ie:  www.abc.com.abc.com if the resolution for www.abc.com has failed (server returns NX domain, doesn't respond, etc).    Anyconnect will then append the default-dns suffix defined in the group-policy onto the DNS request, so you could have a request such as www.cnn.com.abc.com, if you tried to resolve www.cnn.com and failed, and your default-dns was set to abc.com.

3448
Views
5
Helpful
0
Comments