Whenever the VPN is established, macOS uses the wrong order to resolve DNS entries. This leads to DNS query timeouts, but under certain circumstances to complete DNS failures, as the system insists on using the unreachable DNS server.

The problem exists for a long time now, at least since macOS Mountain Lion. For a long time I had to live with this annoyance, as the issue persisted with every new version of the AnyConnect client. But now I found a workaround, maybe even a long-term solution. It is possible to tell the macOS resolver to use certain DNS servers for certain domains. Setting this up is rather easy:

sudo mkdir /etc/resolver
echo 'nameserver 10.8.0.1' > /etc/resolver/domain.com
sudo killall -9 mDNSResponder && dscacheutil -flushcache

After restarting the mDNSResponder daemon and flushing the DNS cache, I was all set. I hope this will become a long-term solution for this issue, that plagued me for so long.