3

Straight to the point. Is my employer able to see what websites I visited while I was connected to the VPN of the company?

I'm pretty sure that all web internet traffic is routed on my private ISP because even when I'm connected to the VPN my IP on the internet is the same of my ISP. Also, Anyconnect reports "Tunnel mode IPv4: split include" so it seems that all personal traffic doesn't go through the tunnel. But given that, how can I know if my company is able to see my dns requests?

Thanks everyone

ps: the difference with the other question is that the other user talks about a physical connection in an office, inside a building of his company while I'm talking about a private machine in a private house connected through a vpn to the intranet of a company.

user191143
  • 33
  • 1
  • 4
  • [A related recent story](https://www.reddit.com/r/legaladvice/comments/9ux3w8/ca_found_out_that_work_was_monitoring_my_home/). – Xiong Chiamiov Nov 12 '18 at 18:26

1 Answers1

4

There are a number of ways a VPN can work, although this is often forgotten. For example, a VPN can be used to provide access to resources on a private network which is at a remote location, or to send all traffic from a remote system over a local service of some kind, or just to hide the real origin of traffic.

Split-tunnel mode is often used when a company wants to allow remote users access to resources on the company LAN, but doesn't want to deal with all the remote user's normal web traffic. This works (roughly) by sending requests to specific IP addresses through the VPN, and ignoring everything else. If they want to allow remote users to access resources which have internally assigned DNS names (things like "https:\hr.examplecorp" typically), they need to send DNS requests to a server which recognises these - this will usually be internal. It is possible to configure VPN clients to send requests for specific domains to the internal server, while ignoring others, and sending them to the local machine's configured DNS server, but this is very prone to mistakes, hence most security guides recommended disabling this.

Therefore, it's probably safest to assume that all DNS traffic sent while the VPN software is active is going via the company DNS server. Cisco docs support this:

a DNS query is first sent via the tunnel and if it does not get resolved, the resolver attempts to resolve it via public interface

Matthew
  • 27,263
  • 7
  • 89
  • 101
  • Thank you. A very clear answer. Just another question: assuming that dns requests from this machine was sent to my company server, is it actually possible to see them somewhere? Are they logged? I also have a remote desktop configured to my company server, how can I check if my dns requests are visible there? Thanks a lot – user191143 Nov 12 '18 at 17:59
  • Can't say without further knowledge of the server - it could be logging everything, it could be logging internal requests only, it could be logging external requests only. – Matthew Nov 12 '18 at 19:51
  • Sorry for bothering you again Matthew but in this time I collected some informations on the internet, but I'm not an expert in networking. I'd like to have your opinion. Your quote from Cisco Docs was "wrong", it's referred to the option "split DNS" disabled, while it seems that the most common choice with "Tunnel mode IPv4: split include" is to enable the split DNS. In that case it seems that only the dns calls that match the domains in DNS suffix Search List are routed through the tunnel. In my case that list is only one item ("nameofmycompany.com"). Maybe there's a chance that I'm ok? – user191143 Nov 12 '18 at 22:15
  • Ah, I took it from the section with the heading "Split-include configuration" which doesn't talk about "split-include configured"... Fantastically clear documentation there! In that case, it suggests DNS requests for other sites don't go via the VPN, so are unlikely to be logged by the company. – Matthew Nov 13 '18 at 13:26
  • Ok. Done some tests. It turned out that unfortunately split dns is not enabled, only split tunneling. But many people told me that in this case only domains can be logged by my employer. Then if I visit www.example.com/blablabla/blablabla/gr8tj0g they can only log www.example.com and it makes sense since a dns query is to obtain the ip related to a domain, not to a specific full address. Can you confirm it? Thanks again – user191143 Nov 15 '18 at 12:28
  • Yes, DNS only relates to domains, not paths within them. It's likely requests for subdomains would be logged too, so logs would show `evil.example.com`, but not `www.example.com/evil` (this would just show `www.example.com`) – Matthew Nov 15 '18 at 16:29