John Yani

>> … my proposed implementation would be to do a DNS resolve on establisihng connection and then modify the routing table based on that. > How would we do a...

I'm thinking maybe it's possible to subscribe to the D-Bus system-resolved messages? So that when some domain name gets resolved, openconnect will receive a signal "example.com was resolved to 10.0.0.1"...

Or, alternatively, start a tiny DNS server and use DBus to add it for the tunnel interface. In this DNS server you would spy on the DNS query and add/update...

> It still won't work for software which has cached DNS entries (e.g. web browsers) or doesn't use the system DNS resolver for whatever other reason. Well, if it works...

Documentation for this feature is here: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215383-asa-anyconnect-dynamic-split-tunneling.html

``` Connected to HTTPS on example.com > POST / HTTP/1.1 > Host: example.com > User-Agent: > Accept: */* > Accept-Encoding: identity > X-Transcend-Version: 1 > X-Aggregate-Auth: 1 > X-AnyConnect-Platform: >...

Here's what documentation says: > Additionally, AnyConnect release 4.6 added an enhanced dynamic split tunneling, where both dynamic split exclude and dynamic split include domains are specified for enhanced domain...

Here's a tutorial how to set it up: https://woland.com/2020/03/30/dynamic-split-tunneling-a-covid-19-best-practice/

Found this in release notes:  > DynamicSplit Include Tunneling (**Windows and macOSonly**)

> They are not, however, appearing in the X-CSTP-Split-DNS headers from the connection response, which is where we have always expected them to appear. It's not 100% clear that the...