Last Modified: May 22, 2023
Affected Product(s):
APM-Clients APM
Opened: Mar 03, 2022 Severity: 3-Major
Public routes to excluded domain scope resolved IP addresses (by DNS relay proxy) do not get added on transition from machine tunnel to EdgeClient or from Edge Client to machine tunnel.
Depending on the configuration, the traffic to the excluded DNS may end up inside the tunnel, and if it is not reachable via the tunnel, then there is no connectivity to these destinations. For example, this might occur in a split tunnel configuration that has an include scope as 0.0.0.0/0 and some exclude address space like 8.8.8.8/32 and has excluded DNS as site-not-reachable-via-tunnel.com, *.site-not-reachable-via-tunnel.com. If exclude routes are not added for IP addresses resolved for site-not-reachable-via-tunnel.com, traffic to site-not-reachable-via-tunnel.com will go inside the tunnel due to the routing table.
-- Split tunnel configuration. -- Excluded Domain scope. -- DNS relay proxy is running on the client. -- User connects to the machine tunnel, accesses excluded domain scope host-names (so that exclude routes to the resolved IP addresses get added the first time) -- User transitions to Edge Client and then connects to the VPN and accesses those same host-names.
None
None