IP&FQDN Split Tunnel Breaks Due to DNS Compression At the End of the Domain Name Response
This article explains the reason why FQDN split tunnel breaks due to DNS Compression at the end of the domain name response.
Problem or Goal
Split tunnel breaks when the DNS responses are compressed at the end of the domain names.
Cause
Definition of compression In order to reduce the size of messages, the domain system utilizes a compression scheme which eliminates the repetition of domain names in the NAME, QNAME, and RDATA fields. In this scheme, an entire domain name or a list of labels at the end of a domain name is replaced with a pointer to a prior occurrence of the same name. The pointer takes the form of a two octet sequence: I) The first two bits are ones. This allows a pointer to be distinguished from a label II) We compare this field to 0xC0 and decide if it is compressed data or not
According RFC 1035: In order to reduce the size of messages, the domain system utilizes a compression scheme which eliminates the repetition of domain names in a message. In this scheme, an entire domain name or a list of labels at the end of a domain name is replaced with a pointer to a prior occurrence of the same name.
Example: Open the packet capture and look for the resource which is breaking and going through inside/outside the tunnel, based on the Split Tunnel Policy.
In the below packet capture DNS response, we see that 5 answer records are received.
1. download.microsoft.com: type CNAME, class IN, cname 2-01-4ca6-0004.cdx.cedexis.net 2. 2-01-4ca6-0004.cdx.cedexis.net: type CNAME, class IN, cname main.dl.ms.akadns.net 3. main.dl.ms.akadns.net: type CNAME, class IN, cname download.microsoft.com.edgekey.net 4. download.microsoft.com.edgekey.net: type CNAME, class IN, cname e3673.dscg.akamaiedge.net 5. e3673.dscg.akamaiedge.net: type A, class IN, addr 23.55.248.115
If you click on any one of the answer record, you will receive the answer in a HexaDecimal output.
The response names ending with c0 which will be highlighted in red, indicates the DNS responses are compressed at the end of each domain name response.
Solution
This issue is fixed in Pulse Desktop Client in 9.1R8.2 and up.