Share via

nslookup doesn't return external domain over vpn connection with split DNS

Question

Thursday, April 25, 2013 7:37 AM

Hi all,
I have a very strange behavior of internal DNS Server (Windows 2012) with split DNS when user is connected over VPN (Cisco AnyConnect).
When I do nslookup on the server the DNS server is properly recognized and answers properly both for internal domain (domain.local) and external domain (domain.com) configured on the server as another lookup zone (split DNS). But when I do the same on the client connected over VPN, nslookup properly recognizes Windows 2012 DNS server, properly answers for queries related to internal domain but returns Non-existent domain for external domain.
What could be the reason for such behavior?
Thanks in advance for any tips.

Best regards Lukasz Chomin CompuTec SA

All replies (3)

Friday, April 26, 2013 7:23 AM

Hi Lukasz,

Thanks for the post.

Based on my understanding, the issue may related to DNS client settings of the VPN clients. Would you please provide us unedited ipconfig /all from one VPN client and one internal client for further research.

In addition, you can try to troubleshoot the issue via nslookup with debug switch.

Thanks.

Jeremy Wu
TechNet Community Support

Friday, April 26, 2013 6:35 PM

Hi Jeremy,
ipconfig /all from VPN client:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PLSW04
   Primary Dns Suffix  . . . . . . . : as.corp
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : as.corp
                                       as.corp
                                       as.corp

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : as.corp
   Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client V
irtual Miniport Adapter for Windows x64
   Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6468:e93b:e4d:62a5%19(Preferred)
   Link-local IPv6 Address . . . . . : fe80::8359:30a8:963f:45dd%19(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.225(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 671090074
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-46-C7-C1-3C-97-0E-32-FC-03

   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Mobile Broadband adapter Mobile broadband:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : H5321 gw Mobile Broadband Network Adapter

   Physical Address. . . . . . . . . : 94-81-8A-59-59-5D
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6921:4d1d:eb11:6c99%27(Preferred)
   IPv4 Address. . . . . . . . . . . : 46.76.60.239(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.224
   Default Gateway . . . . . . . . . : 46.76.60.226
   DHCPv6 IAID . . . . . . . . . . . : 311722378
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-46-C7-C1-3C-97-0E-32-FC-03

   DNS Servers . . . . . . . . . . . : 212.2.96.53
                                       212.2.96.54
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:2e4c:3cef::2e4c:3cef(Preferred)
   Default Gateway . . . . . . . . . : 2002:c058:6301::c058:6301
   DNS Servers . . . . . . . . . . . : 212.2.96.53
                                       212.2.96.54
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.as.corp:

   Connection-specific DNS Suffix  . : as.corp
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.0.225%35(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{7A8F3959-3C2E-4A59-B1D8-FCF8BDDECC25}:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #9
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::200:5efe:46.76.60.239%40(Preferred)

   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 212.2.96.53
                                       212.2.96.54
   NetBIOS over Tcpip. . . . . . . . : Disabled

ipconfig /all from internal client:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PLSW04
   Primary Dns Suffix  . . . . . . . : as.corp
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : as.corp

Ethernet adapter vEthernet (WiFi External):

   Connection-specific DNS Suffix  . : as.corp
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
   Physical Address. . . . . . . . . : 60-67-20-87-19-2E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd00:0:7:1:8483:b16f:b5bf:a81e(Preferred)

   Temporary IPv6 Address. . . . . . : fd00:0:7:1:a487:f6f9:d31a:c336(Preferred)

   Link-local IPv6 Address . . . . . : fe80::8483:b16f:b5bf:a81e%33(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.0.153(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 26 kwietnia 2013 20:13:17
   Lease Expires . . . . . . . . . . : 27 kwietnia 2013 02:13:35
   Default Gateway . . . . . . . . . : fe80::462b:3ff:fe41:ff20%33
                                       10.0.0.254
   DHCP Server . . . . . . . . . . . : 10.0.0.2
   DHCPv6 IAID . . . . . . . . . . . : 929064736
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-46-C7-C1-3C-97-0E-32-FC-03

   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Disabled

Wireless LAN adapter Local Area Connection* 13:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
   Physical Address. . . . . . . . . : 62-67-20-87-19-2E
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 60-67-20-87-19-2F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.as.corp:

   Connection-specific DNS Suffix  . : as.corp
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:10.0.0.153%35(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.0.2
   NetBIOS over Tcpip. . . . . . . . : Disabled

This is output from nslookup -debug on the VPN client:

> mail.domena.pl
Server:  dc01.as.corp
Address:  10.0.0.2

Got answer:
    HEADER:
        opcode = QUERY, id = 10, rcode = NXDOMAIN
        header flags:  response, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        mail.domena.pl, type = A, class = IN

Got answer:
    HEADER:
        opcode = QUERY, id = 11, rcode = NXDOMAIN
        header flags:  response, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        mail.domena.pl, type = AAAA, class = IN

The same DNS server responses properly if client is connected internally:

> mail.domena.pl
Server:  dc01.as.corp
Address:  10.0.0.2

Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        mail.domena.pl, type = A, class = IN
    ANSWERS:
    ->  mail.domena.pl
        internet address = 10.0.0.21
        ttl = 3600 (1 hour)

Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        mail.domena.pl, type = AAAA, class = IN
    ANSWERS:
    ->  mail.domena.pl
        AAAA IPv6 address = fd00:0:7:1:2::15
        ttl = 3600 (1 hour)

I suppose this is something related to the DNS server configuration. I'm asking the same server and getting different responses. The only one difference is from where I'm connecting.

Any further help is highly appreciated.

Thanks in advance.

Best regards Lukasz Chomin CompuTec SA

Wednesday, January 6, 2016 11:54 PM

That is normal behavior on AnyConnect clients when split tunneling is used.  Recursive lookups via nslookup, dig, and other utilities do not work normally under split tunnel - see the 2nd note at Cisco's Behavioral Differences Regarding DNS Queries (http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116016-technote-AnyConnect-00.html).  You can still make recursive lookups work for those tools by sending all DNS queries through the tunnel with the split-tunnel-all-dns enable command in your group-policy attributes.

If using ASDM, use the following instructions below.  Different versions may have slight changes in wording or location.

  • Configuration on top
  • Remote Access VPN section on left
  • Expand Network (Client) Access on the left
  • Group Policies
  • Edit your appropriate group policy
  • Expand the Advanced section on the left side of your group policy
  • Split Tunneling
  • Choose Yes on Send All DNS Lookups Through Tunnel

Best Regards,

Victor Tecson