Recently I setup a PoC for remote users with Anyconnect client and OpenDNS. The idea is to control DNS queries on split tunnel RA VPN connection based on organization’s acceptable use policies and to protect from malicious threats on the Internet.
I went with OpenDNS Virtual Appliance deployment option to have visibility into client IP addresses. OpenDNS Appliance serves as DNS server and forwards internal requests to internal resolvers and external to dedicated OpenDNS servers on the Internet. Logic is depicted below.
OpenDNS Appliance footprint is very small and one-page setup makes it really easy.
Policy configuration is straight forward and accessed from OpenDNS portal under Configuration > Policies.
You can reuse default policy by tweaking Category settings and leaving Security Settings as-is.
Note: Add your local domains to System Settings > Internal Domains otherwise they will not get resolved.
Next step is to update Anyconnect Connection profile with OpenDNS Appliance IP addresses under Configuration > Network (Client) Access > Anyconnect Connection Profiles > Edit Profile.
However, my first test results were unsuccessful. I was able to browse to internal and external sites so DNS resolution was working, however sites from blocked categories were also allowed and not recorded on Categories reporting page.
Note: It may take 15 to 20 minutes for results to show up in the OpenDNS portal after inital setup.
I came across Interoperation between AnyConnect and the OpenDNS article which was great. It goes into a lot of details about DNS handling by Anyconnect but it did not help because it was geared toward roaming agent and specifically tells you that Split-tunnel-all-dns must be disabled in all of the scenarios.
To fix my issues I actually needed the opposite and this is why. The Send All DNS Lookups Through Tunnel field instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. Setting this option ensures that DNS traffic is not leaked to the physical adapter and disallows traffic in the clear.
Note: If DNS resolution fails, the address remains unresolved so it is very important to setup at least 2 OpenDNS appliances for redundancy.
The configuration below depicts necessary changes to force all DNS queries to go to OpenDNS Appliance. It is configured under Group Policy > Edit Policy > Advanced > Split Tunneling
Once changes were applied I got a block page for restricted category and request was recorded on the portal.
One more thing to note. If Anyconnect profile is configured for Full tunnel configuration then all traffic from the endpoint will be sent across the VPN tunnel and the above change is not required.