Bug ID 1084917: Excluded domain public route to excluded DNS-resolved IP addresses is not added

Last Modified: Dec 20, 2022

Bug Tracker

Affected Product:  See more info
APM-Clients APM(all modules)

Opened: Mar 03, 2022
Severity: 3-Major

Symptoms

Public routes to excluded domain scope resolved IP addresses (by DNS relay proxy) do not get added on transition from machine tunnel to EdgeClient or from Edge Client to machine tunnel.

Impact

Depending on the configuration, the traffic to the excluded DNS may end up inside the tunnel, and if it is not reachable via the tunnel, then there is no connectivity to these destinations. For example, this might occur in a split tunnel configuration that has an include scope as 0.0.0.0/0 and some exclude address space like 8.8.8.8/32 and has excluded DNS as site-not-reachable-via-tunnel.com, *.site-not-reachable-via-tunnel.com. If exclude routes are not added for IP addresses resolved for site-not-reachable-via-tunnel.com, traffic to site-not-reachable-via-tunnel.com will go inside the tunnel due to the routing table.

Conditions

-- Split tunnel configuration. -- Excluded Domain scope. -- DNS relay proxy is running on the client. -- User connects to the machine tunnel, accesses excluded domain scope host-names (so that exclude routes to the resolved IP addresses get added the first time) -- User transitions to Edge Client and then connects to the VPN and accesses those same host-names.

Workaround

None

Fix Information

None

Behavior Change