Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide

Contributed by Cisco TAC Engineers.
Jan 28, 2014

Introduction
Split Versus Standard DNS
True Versus Best Effort Split DNS
Tunnel All and Tunnel All DNS
DNS Performance Issue Resolved in AnyConnect Version 3.0(4235)
DNS with Split Tunneling on Different OSs
     Microsoft Windows
     Macintosh
     iPhone
Related Information

This document describes how different Operating Systems (OSs) handle Domain Name System (DNS)
queries and the affects on domain name resolution with Cisco AnyConnect and split or full tunneling.

When you use split−include tunneling, you have three options for DNS:

Split DNS −  The DNS queries that match the domain names that are configured on the Cisco
Adaptive Security Appliance (ASA) move through the tunnel (to the DNS servers that are defined on
the ASA, for example) and others do not.

1. 

Tunnel−all−DNS − Only DNS traffic to the DNS servers that are defined on the ASA is allowed.
This setting is configured in the group policy.

2. 

Standard DNS − All of the DNS queries move through the DNS servers that are defined by the ASA.
In the case of a negative response, the DNS queries might also go to the DNS servers that are
configured on the physical adapter.

3. 

Note: The split−tunnel−all−dns command was first implemented in ASA Version 8.2(5). Before this version,
you could only do split DNS or standard DNS.

In all cases, the DNS queries that are defined to move through the tunnel go to any DNS servers that are
defined on the ASA. If there are no DNS servers defined on the ASA, then the DNS settings are blank for the
tunnel. If you do not have split DNS defined, then all of the DNS queries are sent to the DNS servers that are
defined by the ASA. However, the behaviors that are described in this document can be different, dependent
upon the Operating System (OS).