Domain Management

Cisco Secure Access provides the option to manage domains when endpoints connect to internet resources with the Cisco Secure Client or a PAC file. Domain management allows DNS queries for certain domains to query the local network's DNS servers instead of the Secure Access DNS servers.

If you do not specify a list of internal domains, all DNS queries are sent directly to Secure Access, and as a result, cannot reach your network's local resources (for example: computers, servers, printers) on internally-hosted domains that rely on local DNS servers.

When you add internal domains to your bypass list, these internal domain queries sent from an endpoint with a Secure Access PAC file or the Cisco Secure Client bypass the Secure Access DNS resolvers. However, in the case of a tunnel, this configuration is not passed down, so there is no way to bypass traffic to the proxy per-organization with a custom configuration for network tunnels.

To ensure uninterrupted access to these resources, administrators should add the appropriate domains to the organization's domain bypass list. The domain bypass list syncs to all Cisco Secure Clients in your organization.

Internal Domains List

Populate the internal domains list with domains used by your organization to access local resources while on the organization's network (at the physical location or connected through VPN). The internal domains list is pre-populated with the .local TLD and all RFC-1918 (private network) reverse DNS address space. Secure Access syncs newly added domains to Cisco Secure Clients within about one hour. For more information, see Manage Domains.

DNS Suffixes

The domains contained in the DNS suffixes configuration on a computer's adapter and global network settings are imported automatically into a Cisco Secure Client's internal domains list each time the Cisco Secure Client starts or a new network adapter (such as a VPN or wireless connection) is initiated. This sync process helps Cisco Secure Clients adapt when on newly seen networks where they may want to access local resources without adding the domain through the Secure Access.

Operational Flow

The Cisco Secure Client can handle internal and external DNS queries gracefully.

Configure Internal Domains

The Cisco Secure Client's internal domains list is populated by two sources:

  • Syncs from the Secure Access internal domains list.
  • The DNS Suffixes list located in the local computer's networking configuration settings.

Cisco Secure Client and External Queries

External DNS queries that do not match a domain located on either of the internal domains lists are sent straight to Secure Access.

Cisco Secure Client and Internal Queries

DNS queries for domains contained in the domain bypass list (internal domains list) are sent through the local network's DNS servers.

  • Internal domains that are hosted on the local network are resolved by the internal DNS server directly.
  • Internal Domains that are not hosted on the local network are resolved by Secure Access or whichever public DNS servers are used for resolution.

Advanced Topics

The following section focuses on more in-depth information and logic with internal domains and expected behavior.

Unencrypted

Although the Cisco Secure Client is able to send encrypted DNS queries to Secure Access  when in the encrypted state, domains listed on the bypass domains list are sent unencrypted, because they are not sent to Secure Access.

DNS Suffixes (Continued)

There are implications that should be considered with DNS Suffixes.

  • This could allow an organization to not add any domains to the internal domains list in Secure Access. If DHCP is configured to use your domains as DNS Suffixes, the Cisco Secure Client automatically considers the domain as local, even without adding the domain to the internal domains list in Secure Access.
  • If you use DNS suffixes to rely on internal domain resolution instead of populating the internal domains list in Secure Access, the endpoint traffic has increased security. Since DNS queries sent to domains on the internal domains list are sent unencrypted, this implies that a machine performing DNS queries for domains on the Secure Access internal domains list always sends unencrypted traffic on all networks.

Note: During the deployment of the Cisco Secure Client on user devices, you can disable the feature that adds the domains contained in the DNS suffixes list.


Install the Root Certificate for All Browsers < Domain Management > Interpret Internet Security Diagnostics