FQDN resource and IPv4/IPv6 resources-based Split Tunneling

The following table describes the different scenarios for FQDN based split tunneling with respect to IPv4 and IPv6 based split tunneling.

S. No.

IPv4 Include Policy

IPv4 Exclude Policy

IPv6 Include Policy

IPv6 Exclude Policy

FQDN Include Policy

FQDN Exclude Policy

Split DNS Behavior

Client Behavior

1 1.1.10/24 NA NA NA NA NA NA 1.1.1.0 pointing to the tunnel interface. All other IPv4 goes through physical interface. All IPv6 resources goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel interface else through physical interface.
2 NA 1.1.1.0/24 NA NA NA NA NA 1.1.1.0 pointing to physical interface. All other IPv4 traffic except 1.1.1.0/24 goes through the tunnel interface. All IPv6 traffic goes through the tunnel interface. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else though physical interface.
3 NA NA 2001:cdba::3257:9652 NA NA NA NA Default IPv4 route pointing to the tunnel. IPv6 route for 2001:cdba::3257:9652 pointing to tunnel. All IPv4resource goes through the tunnel. All IPv6 traffic other than 2001:cdba::3257:9652 goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else though physical interface.
4 NA NA NA 2001:cdba::3257:9652 NA NA NA IPv4 default route pointing to the tunnel. IPv6 default route pointing to the tunnel. IPv6 route for 2001:cdba::3257:9652 pointing to physical interface. All other IPv4 and IPv6 resource goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else though physical interface.
5 NA NA NA NA www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS. All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. Only www.google.com goes through the tunnel. IPv4 goes through the physical interface. IPv6 goes the through the tunnel.
6 NA NA NA NA NA www.google.com DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. www.google.com goes through the physical interface. All other FQDN resources goes through the tunnel. All IPv4/IPv6 resources goes through the tunnel.
7 1.1.1.0/24 NA 2001:cdba::3257:9652 NA NA NA NA Route for 1.1.1.0/24 pointing to the tunnel. Route for 2001:cdba::3257:9652 pointing to the tunnel. Except for [1.1.1.0/24 and 2001:cdba::3257:9652 ] all other IPv4 and IPv6 goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else though physical interface.
8 NA 1.1.1.0/24 NA 1.1.1.0/24 NA NA NA IPv4 default route pointing to the tunnel. IPv6 default route pointing to tunnel. Route for 1.1.1.0/24 pointing to physical interface. Route for 2001:cdba::3257:9652 pointing to physical interface. Except for 1.1.1.0/24 and 2001 all other IPv4 and IPv6 goes through the tunnel. FQDN resources are not considered.
9 1.1.1.0/24 NA NA NA www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. Except for 1.1.1.0/24 and www.goolge.com all other IPv4 and FQDN goes through the physical interface. All IPv6 goes through the tunnel.
10 NA 1.1.1.0/24 NA NA NA www.google.com DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. Except for 1.1.1.0/24 and www.google.com all other IPv4,IPv6 and FQDN resource goes through the tunnel. All IPv6 goes through the tunnel.
11 NA NA 2001:cdba::3257:9652 NA www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. Except for 2001:cdba::3257:9652 and www.google.com all other IPv4/IPv6/FQDN goes through the physical interface.
12 NA NA NA 2001:cdba::3257:9652 NA www.google.com DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. Except for 2001:cdba::3257:9652 and www.google.com all the other IPv4/IPv6/FQDN goes through the tunnel.
13 1.1.1.0/24 NA NA NA NA www.google.com NA Except for 1.1.1.0/24 all other IPv4 goes through physical interface. Except for www.google.com all other FQDN resource goes through the tunnel. All IPv6 traffic goes through the tunnel.
14 NA 1.1.1.0/24 NA NA www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. Except for 1.1.1.0/24 all other IPv4 resources goes through the tunnel. All the IPv6 traffic goes through the tunnel. Except for www.google.com all other FQDN resources goes through the physical interface.
15 NA NA 2001:cdba::3257:9652 NA NA www.google.com DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. Except for www.google.com, all other FQDN resources goes through the tunnel. Except for 2001:cdba::3257:9652 all the IPv6 traffic goes through the physical interface. All the IPv4 traffic goes through the tunnel.
16 NA NA NA 2001:cdba::3257:9652 www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. Except www.google.com, all other FQDN resources goes through the physical interface. Except 2001:cdba::3257:9652 all other IPv6 traffic goes through the tunnel. All the IPv4 traffic goes through the physical interface.
17 1.1.1.0/24 2.2.2.0/24 NA NA NA NA NA No IPv4 default route. IPv6 default route pointing to the tunnel. Route for 1.1.1.0/24 pointing to the tunnel. Except for 1.1.1.0/24 all the IPv4 traffic goes through the physical interface. All the IPv6 traffic goes through the tunnel. FQDN resources are not considered , depends on the IPv4 default route if present goes through the tunnel else through physical interface.
18 NA NA 2001:cdba::3257:9652 2001:cdba::3257:9653 NA NA NA IPv4 default route pointing to the tunnel. Route for 2001:cdba::3257:9652 pointing to the tunnel. Route for 2001:cdba::3257:9653 pointing to physical interface. All IPv4 traffic goes through the tunnel. FQDN resources are not considered, depends on the IPv4 default route if present goes through the tunnel else through physical interface.
19 NA NA NA NA www.google.com www.facebook.com DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through Physical adapter usingphysical adapter DNS server. www.google.com goes through the tunnel. www.facebook.com goes through the physical interface. All the IPv4 and IPv6 resources goes through the physical interface.
20 NA 1.1.1.0/24 NA 2001:cdba::3257:9652 NA www.google.com DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resources goes through the tunnel, except 1.1.1.0/24. All the IPv6 resources goes through the tunnel except 2001:cdba::3257:9652.
21 NA 1.1.1.0/24 NA 2001:cdba::3257:9652 NA www.google.com DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resource goes through the tunnel except 1.1.1.0/24. All the IPv6 resources goes through the tunnel except 2001:cdba::3257:9652.
22 1.1.1.0/24 NA 2001:cdba::3257:9652 NA NA www.google.com DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resources goes through the physical interface except 1.1.1.0/24. All the IPv6 resources goes through the physical interface except 2001:cdba::3257:9652.
23 1.1.1.0/24 NA NA 2001:cdba::3257:9652 www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resources goes through the physical interface. All the IPv4 resource goes through the physical interface except 1.1.1.0/24. All the IPv6 resource goes through the tunnel except 2001:cdba::3257:9652.
24 NA 1.1.1.0/24 2001:cdba::3257:9652 NA www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface. All the IPv4 resources goes through the tunnel except 1.1.1.0/24. All the IPv6 resources goes through the physical interface except 2001:cdba::3257:9652.
25 1.1.1.0/24 NA NA 2001:cdba::3257:9652 NA www.google.com DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resources goes through the physical interface except 1.1.1.0/24. All the IPv6 resource goes through the tunnel except 2001:cdba::3257:9652.
26 NA 1.1.1.0/24 2001:cdba::3257:9652 NA NA www.google.com DNS lookup for www.google.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. Except www.google.com, all other FQDN resources goes through the tunnel. All the IPv4 resources goes through the tunnel except 1.1.1.0/24. All the IPv6 resources goes through the physical interface except 2001:cdba::3257:9652.
27 NA 1.1.1.0/24 NA 2001:cdba::3257:9652 www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resource except www.google.com goes through the physical interface. All the IPv4 resources goes through the tunnel except 1.1.1.0/24. All the IPv6 resource goes through the tunnel except 2001:cdba::3257:9652.
28 1.1.1.0/24 2.2.2.0/24 2001:cdba::3257:9652 2001:cdba::3257:9653 www.google.com www.facebook.com DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter usingphysical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface including www.facebook.com. All the IPv4 resources goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resource goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652.
29 1.1.1.0/24 2.2.2.0/24 2001:cdba::3257:9652 2001:cdba::3257:9653 www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter usingphysical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resource which are not mentioned goes through the physical interface All the IPv4 resource goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resource goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652.
30 1.1.1.0/24 2.2.2.0/24 2001:cdba::3257:9652 NA www.google.com www.facebook.com DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter usingphysical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resource which are not mentioned goes through the physical interface including www.facebook.com . All the IPv4 resources goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resources goes through the physical interface except 2001:cdba::3257:9652.
31 1.1.1.0/24 NA 2001:cdba::3257:9652 2001:cdba::3257:9653 www.google.com www.facebook.com DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter using physical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface including facebook.com. All the IPv4 resources goes through the physical interface except 1.1.1.0/24. All the IPv6 resources goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652.
] NA 2.2.2.0/24 2001:cdba::3257:9652 2001:cdba::3257:9653 www.google.com www.facebook.com DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter using physical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface including www.facebook.com. All the IPv4 resources goes through the tunnel except 2.2.2.0/24 . All the IPv6 resources goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652.
33 1.1.1.0/24 2.2.2.0/24 NA 2001:cdba::3257:9652 www.google.com www.facebook.com DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup including www.facebook.com happens through physical adapter using physical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface including www.facebook.com. All the IPv4 resources goes through the physical interface except 1.1.1.0/24 . All the IPv6 resources goes through the tunnel except 2001:cdba::3257:9652.
34 1.1.1.0/24 2.2.2.0/24 2001:cdba::3257:9652 2001:cdba::3257:9653 NA www.facebook.com DNS lookup for www.facebook.com goes through the physical adapter using physical adapter DNS server. All other FQDN lookup happens through tunnel using Ivanti Connect Secure DNS. www.facebook.com goes through the physical interface. All other FQDN resources which are not mentioned goes through the tunnel. All the IPv4 resources goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resources goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652.
35 1.1.1.0/24 2.2.2.0/24 2001:cdba::3257:9652 2001:cdba::3257:9653 www.google.com NA DNS lookup for www.google.com goes through the tunnel using Ivanti Connect Secure DNS All Other FQDN lookup happens through physical adapter using physical adapter DNS server. www.google.com goes through the tunnel. All other FQDN resources which are not mentioned goes through the physical interface All the IPv4 resources goes through the physical interface including 2.2.2.0/24 except 1.1.1.0/24. All the IPv6 resources goes through the physical interface including 2001:cdba::3257:9653 except 2001:cdba::3257:9652.

Split Tunnel should be enabled for all the above scenarios.

FQDN Policy Evaluation

FQDN policy will be evaluated based on the longest suffix matching algorithm.

The following table explains the above statement. 

Include Policy/ Exclude Policy

FQDN

Client Behavior 

Case-1

Include Policy

*.google.com

According to longest prefix match algorithm, FQDN resources such as mail.google.com or maps.google.com will go through the virtual interface and only www.google.com will go through the physical interface.

Exclude Policy

www.google.com

Case-2

Include Policy

www.google.com

According to longest prefix match algorithm, only www.google.com will go through the virtual interface and

all other FQDN resources such as mail.google.com or maps.google.com will go through the physical interface.

Exclude Policy

*.google.com

Exception

The resources accessed through IP address (IPv4 or IPv6) which has been accessed using FQDN in the same tunnel session may have their route table entries modified, due to the configured FQDN rules evaluation.

The following scenario explains the above statement. 

In the below table, FQDN resource www.google.com resolves to the IP address 1.1.1.1.

Include Policy/ Exclude Policy

IPv4

FQDN

Client New Behavior 
(9.1R2 and above)

Case 1 – www.google.com is accessed with IP address 1.1.1.1 for the first time.

Include Policy

 

 

FQDN rules will not be applicable.

www.google.com will go through the tunnel.

 

Exclude Policy

2.2.2.2

www.google.com

Case 2 – www. google.com is accessed with FQDN name during the same tunnel session, route table entry for 1.1.1.1 is created.

Include Policy

 

 

FQDN rules will be applicable.

www.google.com will go through the physical interface.

Exclude Policy

2.2.2.2

www.google.com

Case 3 – www.google.com is accessed with IP address 1.1.1.1 during same tunnel session.

Include Policy

 

 

FQDN rules will be applicable.

As a result of the route table entry created for 1.1.1.1 in Case 2, www.google.com will go through the physical interface.

Exclude Policy

2.2.2.2

www.google.com