Техническая Инструкция для Cisco Cisco AnyConnect Secure Mobility Client v2.x
DNS requests matching the split-dns domains are allowed to tunnel DNS servers, but are not
allowed to other DNS servers. To prevent such internal DNS queries from leaking out the
tunnel, the AnyConnect driver responds with 'no such name' if the query is sent to other DNS
servers. So split-dns domains can only be resolved via the tunnel DNS servers.
allowed to other DNS servers. To prevent such internal DNS queries from leaking out the
tunnel, the AnyConnect driver responds with 'no such name' if the query is sent to other DNS
servers. So split-dns domains can only be resolved via the tunnel DNS servers.
DNS requests not matching the split-dns domains are allowed to other DNS servers, but not
allowed to tunnel DNS servers. Even in this case, the AnyConnect driver responds with 'no
such name' if a query for non split-dns domains is attempted via the tunnel. So non split-dns
domains can only be resolved via public DNS servers outside the tunnel.
allowed to tunnel DNS servers. Even in this case, the AnyConnect driver responds with 'no
such name' if a query for non split-dns domains is attempted via the tunnel. So non split-dns
domains can only be resolved via public DNS servers outside the tunnel.
AnyConnect 4.2 +
DNS requests matching the split-dns domains are allowed to any DNS servers, as long as
they originate from the VPN adapter. If the query is originated by the public interface,
AnyConnect driver responds with a 'no such name' to force the resolver to always use the
tunnel for name resolution. So split-dns domains can only be resolved via the tunnel.
they originate from the VPN adapter. If the query is originated by the public interface,
AnyConnect driver responds with a 'no such name' to force the resolver to always use the
tunnel for name resolution. So split-dns domains can only be resolved via the tunnel.
DNS requests not matching the split-dns domains are allowed to any DNS servers as long as
they originate from the physical adapter. If the query is originated by the VPN adapter,
AnyConnect responds with 'no such name' to force the resolver to always attempt name
resolution via the public interface. So non split-dns domains can only be resolved via the
public interface.
they originate from the physical adapter. If the query is originated by the VPN adapter,
AnyConnect responds with 'no such name' to force the resolver to always attempt name
resolution via the public interface. So non split-dns domains can only be resolved via the
public interface.
Mac OS X
Tunnel-all configuration (and split-tunneling with tunnel-all DNS enabled)
When AnyConnect is connected, only Tunnel DNS servers are maintained in the system DNS
configuration, and therefore DNS requests can only be sent to the Tunnel DNS server(s).
configuration, and therefore DNS requests can only be sent to the Tunnel DNS server(s).
Split-include configuration (tunnel-all DNS disabled and no split-DNS)
AnyConnect does not interfere with the native DNS resolver. The tunnel DNS servers are
configured as preferred resolvers, taking precedence over public DNS servers, thus ensuring that
the initial DNS request for a name resolution is sent over the tunnel. Since DNS settings are global
on Mac OS X, it is not possible for DNS queries to use public DNS servers outside the tunnel as
documented in
configured as preferred resolvers, taking precedence over public DNS servers, thus ensuring that
the initial DNS request for a name resolution is sent over the tunnel. Since DNS settings are global
on Mac OS X, it is not possible for DNS queries to use public DNS servers outside the tunnel as
documented in
. Starting with AnyConnect 4.2, host routes for the Tunnel DNS
server(s) are automatically added as split-include networks (secure routes) by the AnyConnect
client, and therefore the split-include access-list no longer requires explicit addition of the tunnel
DNS server subnet.
client, and therefore the split-include access-list no longer requires explicit addition of the tunnel
DNS server subnet.
Split-exclude configuration (tunnel-all DNS disabled and no split-DNS)
AnyConnect does not interfere with the native DNS resolver. The tunnel DNS servers are
configured as preferred resolvers, taking precedence over public DNS servers, thus ensuring that
the initial DNS request for a name resolution is sent over the tunnel. Since DNS settings are global
on Mac OS X, it is not possible for DNS queries to use public DNS servers outside the tunnel as
documented in
configured as preferred resolvers, taking precedence over public DNS servers, thus ensuring that
the initial DNS request for a name resolution is sent over the tunnel. Since DNS settings are global
on Mac OS X, it is not possible for DNS queries to use public DNS servers outside the tunnel as
documented in
. Starting with AnyConnect 4.2, host routes for the Tunnel DNS