The Cisco AnyConnect Roaming Security module is designed to work with almost all AnyConnect VPN modes with no extra configuration required.
However, additional consideration when these conditions are BOTH true:
- Split Tunnelling is enabled
- AND 'Tunnel All DNS' feature is enabled.
Problem and Impact
With 'Tunnel All DNS' enabled, DNS traffic is intercepted at the kernel level and blocked if it is not going out of the correct VPN interface. This introduces a problem for the Roaming Module if Cisco Umbrella resolvers are not part of the Split Tunnel (Include) configuration.
The impact of this problem is minimal, because by default the Roaming Module uses encrypted DNS (UDP port 443) which is not blocked by 'Tunnel All DNS'. Therefore the problem only occurs on networks where DNS encryption is not available.
The scenario is as follows:
- The Roaming Module attempts to route traffic to Umbrella via the normal LAN interface.
- The Local Network does not allow DNS encryption, and therefore sends standard unencrypted DNS queries.
- This traffic is blocked by the 'Tunnel All DNS' feature which requires DNS to go down the VPN.
In this scenario DNS does not function as expected.
To ensure this condition is not possible we would recommend the following action:
- Disable 'Tunnel All DNS' in the VPN group policy. The Roaming Module will handle the routing of DNS.