Jump to content

JKay

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by JKay

  1. I've opened up a Cisco TAC to see if they can pin down what part of the VPN configuration or issue with the AnyConnect client is causing "co.uk" to be injected into the DNS Suffix Search List as this is the root cause for us at least. I'll drop back once they have some information for us.
  2. You seem to be right about the split tunnel, I jumped the gun on that with it being the cause of our troubles before. Taking some time to look at it again this morning I can see that when we connect to our VPN "co.uk" is added to the DNS suffix search list which is what is causing strange resolution: I'm still looking into what mechanism is inserting "co.uk" in there in the first place.
  3. The ESET alerts are just a side effect since they blocked the domain. It would seem that our and by the looks of it a handful of other companies using split tunneling on their client VPN's have had their machines attempting to resolve wpad.co.uk as a side effect. We're only now just realising it due to the alert from ESET. I'd check with your networking team to find out what part of split tunnelling is causing it to re-resolve hostnames it cant contact by appending .co.uk to them. The image shows that this affects any hostname it cannot first resolve on its own, as pinging google ends up resolving an address for google.co.uk
  4. We've seen a similar issue, found that the root cause was our Cisco Anyconnect clients and how split brain DNS is operating. It seems to be resolving hostnames it cannot contact over the VPN by appending ".co.uk" to them. If I try to ping "WPAD" on the VPN there is a delay while it tries to contact devices over the VPN, then when it fails resolves as "wpad.co.uk". Image shows a machine on the VPN vs off. I can only assume something similar is happening with the DNS on your clients.
×
×
  • Create New...