Recently I setup a PoC for remote users with Anyconnect client and OpenDNS. The idea is to control DNS queries on split tunnel RA VPN connection based on organization’s acceptable use policies and to protect from malicious threats on the Internet.
- Anyconnect Dns Settings
- Cisco Anyconnect Dns Settings
- Anyconnect Vpn Split Tunnel Dns
- Anyconnect Dns Suffix
Conditions: - AnyConnect 4.9.00086 - VPN connection to tunnel group with dynamic split tunneling enabled View Bug Details in Bug Search Tool Why Is Login Required? The AnyConnect Umbrella module installs two agents on the localhost, AnyConnect Umbrella Roaming Security Agent, and AnyConnect SWG Agent. By default, the Roaming Security Agent is on, while the SWG Agent is disabled and must be activated in the Umbrella dashboard: Deployments Roaming Computers Settings (see below). This is because NSLookup does not rely on the operating system (OS) DNS resolver, and therefore, AnyConnect does not force the DNS request via a certain interface. So I am back at square one. I debated tunneling all DNS requests, but seems unfair for only 5 users having a problem.
I went with OpenDNS Virtual Appliance deployment option to have visibility into client IP addresses. OpenDNS Appliance serves as DNS server and forwards internal requests to internal resolvers and external to dedicated OpenDNS servers on the Internet. Logic is depicted below.
Anyconnect Dns Settings
OpenDNS Appliance footprint is very small and one-page setup makes it really easy.
Policy configuration is straight forward and accessed from OpenDNS portal under Configuration > Policies.
You can reuse default policy by tweaking Category settings and leaving Security Settings as-is.
Note: Add your local domains to System Settings > Internal Domains otherwise they will not get resolved.
Next step is to update Anyconnect Connection profile with OpenDNS Appliance IP addresses under Configuration > Network (Client) Access > Anyconnect Connection Profiles > Edit Profile.
However, my first test results were unsuccessful. I was able to browse to internal and external sites so DNS resolution was working, however sites from blocked categories were also allowed and not recorded on Categories reporting page.
Note: It may take 15 to 20 minutes for results to show up in the OpenDNS portal after inital setup.
I came across Interoperation between AnyConnect and the OpenDNS article which was great. It goes into a lot of details about DNS handling by Anyconnect but it did not help because it was geared toward roaming agent and specifically tells you that Split-tunnel-all-dns must be disabled in all of the scenarios.
Cisco Anyconnect Dns Settings
To fix my issues I actually needed the opposite and this is why. The Send All DNS Lookups Through Tunnel field instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. Setting this option ensures that DNS traffic is not leaked to the physical adapter and disallows traffic in the clear.
Note: If DNS resolution fails, the address remains unresolved so it is very important to setup at least 2 OpenDNS appliances for redundancy.
Anyconnect Vpn Split Tunnel Dns
Anyconnect Dns Suffix
The configuration below depicts necessary changes to force all DNS queries to go to OpenDNS Appliance. It is configured under Group Policy > Edit Policy > Advanced > Split Tunneling
Once changes were applied I got a block page for restricted category and request was recorded on the portal.
One more thing to note. If Anyconnect profile is configured for Full tunnel configuration then all traffic from the endpoint will be sent across the VPN tunnel and the above change is not required.