FQDN resource and IPv4/IPv6 resources-based Split Tunneling
The following table describes the different scenarios for FQDN based split tunneling with respect to IPv4 and IPv6 based split tunneling.
|
S. No. |
IPv4 Include Policy |
IPv4 Exclude Policy |
IPv6 Include Policy |
IPv6 Exclude Policy |
FQDN Include Policy |
FQDN Exclude Policy |
Split DNS Behavior |
Client Behavior |
|---|---|---|---|---|---|---|---|---|
| 1 | 1.1.10/24 | NA | NA | NA | NA | NA | NA | 1.1.1.0 pointing to the tunnel interface. All other IPv4 goes through physical interface. All IPv6 resources goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel interface else through physical interface. |
| 2 | NA | 1.1.1.0/24 | NA | NA | NA | NA | NA | 1.1.1.0 pointing to physical interface. All other IPv4 traffic except 1.1.1.0/24 goes through the tunnel interface. All IPv6 traffic goes through the tunnel interface. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else though physical interface. |
| 3 | NA | NA | 2001:cdba::3257:9652 | NA | NA | NA | NA | Default IPv4 route pointing to the tunnel. IPv6 route for 2001:cdba::3257:9652 pointing to tunnel. All IPv4resource goes through the tunnel. All IPv6 traffic other than 2001:cdba::3257:9652 goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else though physical interface. |
| 4 | NA | NA | NA | 2001:cdba::3257:9652 | NA | NA | NA | IPv4 default route pointing to the tunnel. IPv6 default route pointing to the tunnel. IPv6 route for 2001:cdba::3257:9652 pointing to physical interface. All other IPv4 and IPv6 resource goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else though physical interface. |
| 5 | NA | NA | NA | NA | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS. All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. | Only www.google.com goes through the tunnel. IPv4 goes through the physical interface. IPv6 goes the through the tunnel. |
| 6 | NA | NA | NA | NA | NA | www.google.com | DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | www.google.com goes through the physical interface. All other FQDN resources goes through the tunnel. All IPv4/IPv6 resources goes through the tunnel. |
| 7 | 1.1.1.0/24 | NA | 2001:cdba::3257:9652 | NA | NA | NA | NA | Route for 1.1.1.0/24 pointing to the tunnel. Route for 2001:cdba::3257:9652 pointing to the tunnel. Except for [1.1.1.0/24 and 2001:cdba::3257:9652 ] all other IPv4 and IPv6 goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else though physical interface. |
| 8 | NA | 1.1.1.0/24 | NA | 1.1.1.0/24 | NA | NA | NA | IPv4 default route pointing to the tunnel. IPv6 default route pointing to tunnel. Route for 1.1.1.0/24 pointing to physical interface. Route for 2001:cdba::3257:9652 pointing to physical interface. Except for 1.1.1.0/24 and 2001 all other IPv4 and IPv6 goes through the tunnel. FQDN resources are not considered. |
| 9 | 1.1.1.0/24 | NA | NA | NA | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. | Except for 1.1.1.0/24 and www.goolge.com all other IPv4 and FQDN goes through the physical interface. All IPv6 goes through the tunnel. |
| 10 | NA | 1.1.1.0/24 | NA | NA | NA | www.google.com | DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | Except for 1.1.1.0/24 and www.google.com all other IPv4,IPv6 and FQDN resource goes through the tunnel. All IPv6 goes through the tunnel. |
| 11 | NA | NA | 2001:cdba::3257:9652 | NA | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. | Except for 2001:cdba::3257:9652 and www.google.com all other IPv4/IPv6/FQDN goes through the physical interface. |
| 12 | NA | NA | NA | 2001:cdba::3257:9652 | NA | www.google.com | DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | Except for 2001:cdba::3257:9652 and www.google.com all the other IPv4/IPv6/FQDN goes through the tunnel. |
| 13 | 1.1.1.0/24 | NA | NA | NA | NA | www.google.com | NA | Except for 1.1.1.0/24 all other IPv4 goes through physical interface. Except for www.google.com all other FQDN resource goes through the tunnel. All IPv6 traffic goes through the tunnel. |
| 14 | NA | 1.1.1.0/24 | NA | NA | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. | Except for 1.1.1.0/24 all other IPv4 resources goes through the tunnel. All the IPv6 traffic goes through the tunnel. Except for www.google.com all other FQDN resources goes through the physical interface. |
| 15 | NA | NA | 2001:cdba::3257:9652 | NA | NA | www.google.com | DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | Except for www.google.com, all other FQDN resources goes through the tunnel. Except for 2001:cdba::3257:9652 all the IPv6 traffic goes through the physical interface. All the IPv4 traffic goes through the tunnel. |
| 16 | NA | NA | NA | 2001:cdba::3257:9652 | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. | Except www.google.com, all other FQDN resources goes through the physical interface. Except 2001:cdba::3257:9652 all other IPv6 traffic goes through the tunnel. All the IPv4 traffic goes through the physical interface. |
| 17 | 1.1.1.0/24 | 2.2.2.0/24 | NA | NA | NA | NA | NA | No IPv4 default route. IPv6 default route pointing to the tunnel. Route for 1.1.1.0/24 pointing to the tunnel. Except for 1.1.1.0/24 all the IPv4 traffic goes through the physical interface. All the IPv6 traffic goes through the tunnel. FQDN resources are not considered , depends on the IPv4 default route if present goes through the tunnel else through physical interface. |
| 18 | NA | NA | 2001:cdba::3257:9652 | 2001:cdba::3257:9653 | NA | NA | NA | IPv4 default route pointing to the tunnel. Route for 2001:cdba::3257:9652 pointing to the tunnel. Route for 2001:cdba::3257:9653 pointing to physical interface. All IPv4 traffic goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else through physical interface. |
| 19 | NA | NA | NA | NA | www.google.com | www.facebook.com | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through Physical adapter usingphysical adapter DNS server. | www.google.com goes through the tunnel. www.facebook.com goes through the physical interface. All the IPv4 and IPv6 resources goes through the physical interface. |
| 20 | NA | 1.1.1.0/24 | NA | 2001:cdba::3257:9652 | NA | www.google.com | DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resources goes through the tunnel, except 1.1.1.0/24. All the IPv6 resources goes through the tunnel except 2001:cdba::3257:9652. |
| 21 | NA | 1.1.1.0/24 | NA | 2001:cdba::3257:9652 | NA | www.google.com | DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resource goes through the tunnel except 1.1.1.0/24. All the IPv6 resources goes through the tunnel except 2001:cdba::3257:9652. |
| 22 | 1.1.1.0/24 | NA | 2001:cdba::3257:9652 | NA | NA | www.google.com | DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resources goes through the physical interface except 1.1.1.0/24. All the IPv6 resources goes through the physical interface except 2001:cdba::3257:9652. |
| 23 | 1.1.1.0/24 | NA | NA | 2001:cdba::3257:9652 | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resources goes through the physical interface. All the IPv4 resource goes through the physical interface except 1.1.1.0/24. All the IPv6 resource goes through the tunnel except 2001:cdba::3257:9652. |
| 24 | NA | 1.1.1.0/24 | 2001:cdba::3257:9652 | NA | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface. All the IPv4 resources goes through the tunnel except 1.1.1.0/24. All the IPv6 resources goes through the physical interface except 2001:cdba::3257:9652. |
| 25 | 1.1.1.0/24 | NA | NA | 2001:cdba::3257:9652 | NA | www.google.com | DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resources goes through the physical interface except 1.1.1.0/24. All the IPv6 resource goes through the tunnel except 2001:cdba::3257:9652. |
| 26 | NA | 1.1.1.0/24 | 2001:cdba::3257:9652 | NA | NA | www.google.com | DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resources goes through the tunnel except 1.1.1.0/24. All the IPv6 resources goes through the physical interface except 2001:cdba::3257:9652. |
| 27 | NA | 1.1.1.0/24 | NA | 2001:cdba::3257:9652 | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resource except www.google.com goes through the physical interface. All the IPv4 resources goes through the tunnel except 1.1.1.0/24. All the IPv6 resource goes through the tunnel except 2001:cdba::3257:9652. |
| 28 | 1.1.1.0/24 | 2.2.2.0/24 | 2001:cdba::3257:9652 | 2001:cdba::3257:9653 | www.google.com | www.facebook.com | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter usingphysical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface including www.facebook.com. All the IPv4 resources goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resource goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652. |
| 29 | 1.1.1.0/24 | 2.2.2.0/24 | 2001:cdba::3257:9652 | 2001:cdba::3257:9653 | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resource which are not mentioned goes through the physical interface All the IPv4 resource goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resource goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652. |
| 30 | 1.1.1.0/24 | 2.2.2.0/24 | 2001:cdba::3257:9652 | NA | www.google.com | www.facebook.com | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter usingphysical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resource which are not mentioned goes through the physical interface including www.facebook.com . All the IPv4 resources goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resources goes through the physical interface except 2001:cdba::3257:9652. |
| 31 | 1.1.1.0/24 | NA | 2001:cdba::3257:9652 | 2001:cdba::3257:9653 | www.google.com | www.facebook.com | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter using physical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface including facebook.com. All the IPv4 resources goes through the physical interface except 1.1.1.0/24. All the IPv6 resources goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652. |
| ] | NA | 2.2.2.0/24 | 2001:cdba::3257:9652 | 2001:cdba::3257:9653 | www.google.com | www.facebook.com | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter using physical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface including www.facebook.com. All the IPv4 resources goes through the tunnel except 2.2.2.0/24 . All the IPv6 resources goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652. |
| 33 | 1.1.1.0/24 | 2.2.2.0/24 | NA | 2001:cdba::3257:9652 | www.google.com | www.facebook.com | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter using physical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface including www.facebook.com. All the IPv4 resources goes through the physical interface except 1.1.1.0/24 . All the IPv6 resources goes through the tunnel except 2001:cdba::3257:9652. |
| 34 | 1.1.1.0/24 | 2.2.2.0/24 | 2001:cdba::3257:9652 | 2001:cdba::3257:9653 | NA | www.facebook.com | DNS lookup for www.facebook.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. | www.facebook.com goes through the physical interface. All other FQDN resources which are not mentioned goes through the tunnel. All the IPv4 resources goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resources goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652. |
| 35 | 1.1.1.0/24 | 2.2.2.0/24 | 2001:cdba::3257:9652 | 2001:cdba::3257:9653 | www.google.com | NA | DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter using physical adapter DNS server. | www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface All the IPv4 resources goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resources goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652. |
Split Tunnel should be enabled for all the above scenarios.
FQDN Policy Evaluation
FQDN policy will be evaluated based on the longest suffix matching algorithm.
The following table explains the above statement.
|
Include Policy/ Exclude Policy |
FQDN |
Client Behavior |
|
Case-1 |
||
|
Include Policy |
*.google.com |
According to longest prefix match algorithm, FQDN resources such as mail.google.com or maps.google.com will go through the virtual interface and only www.google.com will go through the physical interface. |
|
Exclude Policy |
||
|
Case-2 |
||
|
Include Policy |
According to longest prefix match algorithm, only www.google.com will go through the virtual interface and all other FQDN resources such as mail.google.com or maps.google.com will go through the physical interface. |
|
|
Exclude Policy |
*.google.com |
|
Exception
The resources accessed through IP address (IPv4 or IPv6) which has been accessed using FQDN in the same tunnel session may have their route table entries modified, due to the configured FQDN rules evaluation.
The following scenario explains the above statement.
In the below table, FQDN resource www.google.com resolves to the IP address 1.1.1.1.
|
Include Policy/ Exclude Policy |
IPv4 |
FQDN |
Client New Behavior |
|---|---|---|---|
|
Case 1 – www.google.com is accessed with IP address 1.1.1.1 for the first time. |
|||
|
Include Policy |
|
|
FQDN rules will not be applicable. www.google.com will go through the tunnel.
|
|
Exclude Policy |
2.2.2.2 |
||
|
Case 2 – www. google.com is accessed with FQDN name during the same tunnel session, route table entry for 1.1.1.1 is created. |
|||
|
Include Policy |
|
|
FQDN rules will be applicable. www.google.com will go through the physical interface. |
|
Exclude Policy |
2.2.2.2 |
||
|
Case 3 – www.google.com is accessed with IP address 1.1.1.1 during same tunnel session. |
|||
|
Include Policy |
|
|
FQDN rules will be applicable. As a result of the route table entry created for 1.1.1.1 in Case 2, www.google.com will go through the physical interface. |
|
Exclude Policy |
2.2.2.2 |
www.google.com |
|