• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3582
  • Last Modified:

Cisco AnyConnect client and DNS Suffixes

I'm having a problem with DNS suffixes. We have a Windows 2008 R2 server running DNS services. We have several internally hosted zones (ie. mycompany.local, mycompany.com, mycomp.com). Two of the zones (mycompany.com and mycomp.com) are also hosted externally (so our DNS is split between internal and external). It's a pain maintaining both, but that's what we have. The mycompany.local zone is our internal Active Directory domain.

While in the office, everything is fine. We have a group policy that appends all of our DNS suffixes so that we can resolve by shortname regardless of what zone the record lives in.

However, when we connect via VPN to our Cisco ASA device (using the Cisco Anyconnect client version 2.5.x), we have problems (SSL not ipsec and we do have split tunnel enabled). The ASA device hands out the correct internal DNS servers and also the default domain of mycompany.com (many of our resources are in mycompany.com internally which is why mycompany.local is not passed out instead).

However, on my domain joined workstation, when I connect to public wifi and then to VPN, I can only ping things (via shortname or unqualified name)  in the mycompany.local domain. All addresses will work if we use the FQDN. Is this because my primary dns suffix is mycompany.local? Does primary dns suffix trump whatever is being passed in by the anyconnect client and ASA? I have noticed this:

The AD GPO uses the following registry key for DNS Search order:

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList

The AnyConnect client uses this key:

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SearchList

The GPO we use does have mycompany.local listed first? I guess the million dollar question is why can I only resolve names to mycompany.local? I would have thought that if the anyconnect client was modifying the registry for it's own use, then it would use this key? However, it appears to be using either the machines primary dns suffix or the AD GPO suffix list (regardless, it never seems to use more than 1 domain for lookups). Is there something I can do to allow things to work as they do in the office?

I realize this was very convoluted. I can clarify if necessary.

Thanks,
Tim
0
timmr72
Asked:
timmr72
  • 3
1 Solution
 
timmr72Author Commented:
One important detail I left out (sorry). When I ping a shortname that doesn't exist in mycompany.local but does exist in mycompany.com (internal DNS only, not on the external side), it resolves a public address I don't recognize. I'm guessing it doesn't bother trying to resolve to the next suffix as it got an answer for mycompany.local. Still, how it resolved a public address (that I don't know) for this internal only zone I don't understand.
0
 
timmr72Author Commented:
I'm going to try and simplify.

I would like to be able to VPN into my office and be able to connect to devices by shortname regardless of what DNS zone they are a member of. For example, I'd like to ping the following:

ping server1
resolve to server1.mycompany.local (works as expected today)

ping server2
resolve to server2.mycompany.com

ping server3
resolve to server3.mycomp.com

Right now, we have split tunneling enabled on the ASA device and "DNS Names" is set to inherit. All server names resolve to the correct IP address if using FQDN, but only servers in mycompany.local will resolve correctly when using a shortname.
0
 
timmr72Author Commented:
We're going to go with a "work around".
0
 
dougholdCommented:
I am having this exact same issue. What did you do to resolve this?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now