来自Cisco AnyConnect SSL VPN子网的DNS失败

我们有三个Windows域控制器（2012 R2和2008 R2混合），所有的DNS服务器。分区DNSscheme。

除了用户VPN之外，DNSparsing适用于所有内部子网。所有的networking连接似乎是不受限制的。

连接到Cisco AnyConnect IOS SSL VPN的用户无法parsing面向互联网的DNS查询。对AD集成区域的查询返回正确的答案。

networking边界内工作主机的NSLOOKUP输出：

> set type=a > 4.2.2.6 Server: dc1.domain.com Address: 192.168.0.1 ------------ SendRequest(), len 38 HEADER: opcode = QUERY, id = 7, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: 6.2.2.4.in-addr.arpa, type = PTR, class = IN ------------ ------------ Got answer (98 bytes): HEADER: opcode = QUERY, id = 7, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 2, authority records = 0, additional = 0 QUESTIONS: 6.2.2.4.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 6.2.2.4.in-addr.arpa type = PTR, class = IN, dlen = 24 name = f.resolvers.level3.net ttl = 74506 (20 hours 41 mins 46 secs) -> 6.2.2.4.in-addr.arpa type = PTR, class = IN, dlen = 12 name = resolver8.level3.net ttl = 74506 (20 hours 41 mins 46 secs) ------------ Name: f.resolvers.level3.net Address: 4.2.2.6

来自VPN连接主机的NSLOOKUP输出：

 > set type=a > 4.2.2.6 Server: [192.168.0.1] Address: 192.168.0.1 ------------ SendRequest(), len 38 HEADER: opcode = QUERY, id = 7, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: 6.2.2.4.in-addr.arpa, type = PTR, class = IN ------------ ------------ Got answer (38 bytes): HEADER: opcode = QUERY, id = 7, rcode = NXDOMAIN header flags: response, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: 6.2.2.4.in-addr.arpa, type = PTR, class = IN ------------ *** [192.168.0.1] can't find 4.2.2.6: Non-existent domain

笔记：

DC上的Windows防火墙已禁用
VPN和服务器VLAN之间的所有其他协议都是可用的
通过SSL VPN，NSLOOKUP可以解决AD集成区域内的任何logging问题
所有内部网段都有一个反向查找区域
Cisco AnyConnect适配器的DNS后缀与domain.com相同

任何援助与此将非常感激。