Recently I setup a PoC for remote users with Anyconnect client and OpenDNS. The idea is to control DNS queries on split tunnel RA VPN connection based on organization's acceptable use policies and to protect from malicious threats on the Internet.
- We have internal DNS servers and the VPN connection is set up to split-tunnel. I always seem to get good internal DNS from the VPN connection, but I know for a fact that a few others do not. I'm trying to pinpoint where the issue could be and as an example, I'm seeing the following in the ASA logs, where 10.1.1.10 is our internal DNS server.
- The 'Home' network interface has DNS Servers = 192.168.1.1 and does not know about the private VPN DNS. The WSL/ubuntu etc/resolv.conf has this DNS server first in the list. This server responds with an unknown host satisfying the request, but not permitting the alternate servers to take a crack at resolving.
- If additionally the IPv4 DNS server address is tunneled (in my case the 8.8.8.8), Windows initiates DNS requests from the AnyConnect interface and sends the requests to the DNS server that is configured in the Cisco ASA group policy. In this case, Windows also requests the type AAAA records, since the initiating interface is capable of IPv6.
I went with OpenDNS Virtual Appliance deployment option to have visibility into client IP addresses. OpenDNS Appliance serves as DNS server and forwards internal requests to internal resolvers and external to dedicated OpenDNS servers on the Internet. Logic is depicted below.
Not to worry, we can get you to the right place! To resolve a DNS issue that could effect your ability to use a VPN you can place a request using our AT&T U-Verse DNS Request Form. These request are usually completed within 72 business hours. James C., AT&T Community Specialist. Hello, when you created a new VPN connection with Windows 7, 8 and 8.1 and connected it you was abel to resolve DNS names of the remote network. With Windows 10 this does not work anymore.
OpenDNS Appliance footprint is very small and one-page setup makes it really easy.
Policy configuration is straight forward and accessed from OpenDNS portal under Configuration > Policies.
You can reuse default policy by tweaking Category settings and leaving Security Settings as-is.
Note: Add your local domains to System Settings > Internal Domains otherwise they will not get resolved.
Windows equivalent to procreate. Next step is to update Anyconnect Connection profile with OpenDNS Appliance IP addresses under Configuration > Network (Client) Access > Anyconnect Connection Profiles > Edit Profile.
Anyconnect Dns
However, my first test results were unsuccessful. I was able to browse to internal and external sites so DNS resolution was working, however sites from blocked categories were also allowed and not recorded on Categories reporting page.
Note: It may take 15 to 20 minutes for results to show up in the OpenDNS portal after inital setup.
I came across Interoperation between AnyConnect and the OpenDNS article which was great. It goes into a lot of details about DNS handling by Anyconnect but it did not help because it was geared toward roaming agent and specifically tells you that Split-tunnel-all-dns must be disabled in all of the scenarios.
To fix my issues I actually needed the opposite and this is why. The Send All DNS Lookups Through Tunnel field instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. Setting this option ensures that DNS traffic is not leaked to the physical adapter and disallows traffic in the clear.
Note: If DNS resolution fails, the address remains unresolved so it is very important to setup at least 2 OpenDNS appliances for redundancy.
Recently I setup a PoC for remote users with Anyconnect client and OpenDNS. The idea is to control DNS queries on split tunnel RA VPN connection based on organization's acceptable use policies and to protect from malicious threats on the Internet.
- We have internal DNS servers and the VPN connection is set up to split-tunnel. I always seem to get good internal DNS from the VPN connection, but I know for a fact that a few others do not. I'm trying to pinpoint where the issue could be and as an example, I'm seeing the following in the ASA logs, where 10.1.1.10 is our internal DNS server.
- The 'Home' network interface has DNS Servers = 192.168.1.1 and does not know about the private VPN DNS. The WSL/ubuntu etc/resolv.conf has this DNS server first in the list. This server responds with an unknown host satisfying the request, but not permitting the alternate servers to take a crack at resolving.
- If additionally the IPv4 DNS server address is tunneled (in my case the 8.8.8.8), Windows initiates DNS requests from the AnyConnect interface and sends the requests to the DNS server that is configured in the Cisco ASA group policy. In this case, Windows also requests the type AAAA records, since the initiating interface is capable of IPv6.
I went with OpenDNS Virtual Appliance deployment option to have visibility into client IP addresses. OpenDNS Appliance serves as DNS server and forwards internal requests to internal resolvers and external to dedicated OpenDNS servers on the Internet. Logic is depicted below.
Not to worry, we can get you to the right place! To resolve a DNS issue that could effect your ability to use a VPN you can place a request using our AT&T U-Verse DNS Request Form. These request are usually completed within 72 business hours. James C., AT&T Community Specialist. Hello, when you created a new VPN connection with Windows 7, 8 and 8.1 and connected it you was abel to resolve DNS names of the remote network. With Windows 10 this does not work anymore.
OpenDNS Appliance footprint is very small and one-page setup makes it really easy.
Policy configuration is straight forward and accessed from OpenDNS portal under Configuration > Policies.
You can reuse default policy by tweaking Category settings and leaving Security Settings as-is.
Note: Add your local domains to System Settings > Internal Domains otherwise they will not get resolved.
Windows equivalent to procreate. Next step is to update Anyconnect Connection profile with OpenDNS Appliance IP addresses under Configuration > Network (Client) Access > Anyconnect Connection Profiles > Edit Profile.
Anyconnect Dns
However, my first test results were unsuccessful. I was able to browse to internal and external sites so DNS resolution was working, however sites from blocked categories were also allowed and not recorded on Categories reporting page.
Note: It may take 15 to 20 minutes for results to show up in the OpenDNS portal after inital setup.
I came across Interoperation between AnyConnect and the OpenDNS article which was great. It goes into a lot of details about DNS handling by Anyconnect but it did not help because it was geared toward roaming agent and specifically tells you that Split-tunnel-all-dns must be disabled in all of the scenarios.
To fix my issues I actually needed the opposite and this is why. The Send All DNS Lookups Through Tunnel field instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. Setting this option ensures that DNS traffic is not leaked to the physical adapter and disallows traffic in the clear.
Note: If DNS resolution fails, the address remains unresolved so it is very important to setup at least 2 OpenDNS appliances for redundancy.
The configuration below depicts necessary changes to force all DNS queries to go to OpenDNS Appliance. It is configured under Group Policy > Edit Policy > Advanced > Split Tunneling
Cisco Vpn Dns Issues
Once changes were applied I got a block page for restricted category and request was recorded on the portal.
One more thing to note. If Anyconnect profile is configured for Full tunnel configuration then all traffic from the endpoint will be sent across the VPN tunnel and the above change is not required.
