Reverse split tunneling of non-configured domains
Starting with the Citrix Secure Access client for Windows release 25.5.1.15, DNS resolution for non-configured domains is performed remotely when reverse split tunneling is enabled, irrespective of the Split DNS setting. Previously, DNS resolution for non-configured domains worked as follows with reverse split tunneling:
-
When Split DNS is set to BOTH, non-configured domains are resolved both locally and remotely, leading to redundancy and ambiguity.
-
When Split DNS is set to LOCAL, non-configured domains are resolved locally, increasing the risk of DNS leakage and unintended routing.
DNS resolution matrix
The following table summarizes the DNS resolution behavior for different Split DNS settings when reverse split tunneling is enabled.
| Split DNS setting | Host name is configured | DNS suffix is configured | Domains are not configured |
|---|---|---|---|
| LOCAL | LOCAL | REMOTE | REMOTE |
| REMOTE | REMOTE | REMOTE | REMOTE |
| BOTH | BOTH | REMOTE | REMOTE |
Example:
The following is a sample split tunnel configuration in the Citrix Secure Access client:
{
"Version": 1,
"Username": "xyz",
"Tunnel": {
"Split-Tunnel": "ON",
"Split-DNS": "BOTH",
"Tunnel-Rules": [
{
"Protocol": "ANY",
"Type": "Hostname",
"Hostnames": [
"login.microsoftonline.com"
]
},
{
"Protocol": "ANY",
"Type": "Hostname",
"Hostnames": [
"*.spatest.corp"
]
},
{
"Protocol": "ANY",
"Type": "IPV4",
"Start": "10.102.76.14",
"Stop": "10.102.76.14"
}
],
"FQDN-SpoofedIP": {
"IPv4": "172.16.0.0",
"IPv4-Prefix": 16
},
"DNS-Truncate-Fix": true,
"DNS-Suffix-List": [
"cgwsanity.net"
]
},
"AlwaysON": {
"Network-Access": true,
"Client-Control": true
},
"EPA": {
},
"Proxy": {
},
"Client-Config": {
"Local-Lan-Access": true,
"Restart-NLA": true,
"Allow-Logging": true,
"Forced-Timeout": 0,
"Forced-Timeout-Warning": 0,
"Client-Idle-Timeout": 0
},
"Client-Cleanup": {
},
"Supported-Mux-Versions": "1,2"
}
<!--NeedCopy-->
For the preceding split tunnel configuration, the DNS resolution is performed as given in the table that follows:
| Entity | Configuration | Split DNS Setting | DNS Resolution |
|---|---|---|---|
login.microsoftonline.com
|
Host name login.microsoftonline.com is configured in Tunnel-Rules |
BOTH | LOCAL+REMOTE |
| LOCAL | LOCAL | ||
*.spatest.corp
|
Host name *.spatest.corp is configured in Tunnel-Rules |
BOTH | LOCAL+REMOTE |
| LOCAL | LOCAL | ||
dc.cgwsanity.net
|
DNS suffix cgwsanity.net is configured in Tunnel-Rules |
BOTH | REMOTE |
| LOCAL | REMOTE | ||
citrite.net
|
Domain or host name is not configured in Tunnel-Rules |
BOTH | REMOTE |
| LOCAL | REMOTE | ||
sf1.spatest.corp
|
Domain or host name is not configured in Tunnel-Rules |
BOTH | REMOTE |
| LOCAL | REMOTE |
To restore older split DNS behavior
To restore the older split DNS behavior, where non-configured domains are resolved both locally and remotely when reverse split tunneling is enabled, configure the following registry:
Registry Name: DisableReverseTunChangeSplitDnsBehavior
Registry Type: REG_DWORD
Registry value: 1
Registry path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client
Note:
Use this registry only if legacy behavior is essential for compatibility or operational reasons.