Brian Dantes wrote:
A Cisco Anyconnect VPN split DNS configuration is a legitimate use case completely busted by this Snow Leopard bug. A typical setup looks something like this:
resolver #1
domain : vpn.domain
nameserver[0] : <vpn-resolver-ip>
nameserver[1] : <standard-isp-resolver-ip>
order : 1
The intent is that non-VPN hosts will be cascaded from the vpn-resolver back to the standard-isp-resolver, and VPN hosts will be resolved by the vpn-resolver. However, due to this bug, the former works still but the latter intermittently fails because it sometimes sends VPN hostname lookups to the standard-isp-resolver first.
The only workarounds are to keep bouncing the mDNSResponder or move away from a split-DNS policy.
I really hope Apple fixes this in 10.6.3 which I hear rumblings is imminent. This is a terrible bug.
I've commented earlier in this thread on a different symptom of this bug, but I'm also seeing this same VPN bug as described by Brian Dantes. My particular VPN solution is a SonicWall/Aventail SSL VPN. When I connect to the VPN, my 10.6.2 box at home
should start resolving using the additional DNS servers that it gets via the VPN, in order to resolve internal 10.x.x.x addresses and such. Instead, they don't resolve at all (except with dig, which works properly via another resolution mechanism, as we know).
Killing mdnsresponder works, of course, and I can do that for myself (as annoying as that is), but there's no way that my users are going to figure that out if we upgrade them to Snow Leopard. For now, this is a bug that is forcing us to stay with 10.5 and not upgrade.
I sure hope that 10.6.3 fixes this silliness: it's a dumb bug that should have been fixed long before now.