Problem
Network Connect clients on some ISPs can't resolve internal names
Discussion
You have an ISP who is responding with a valid record of some kind instead of a fail. By default, Network Connect queries local DNS records first before querying DNS records through the VPN connection. If your ISP is trying to sell you typo-squatter domains or redirect you to a "search engine" to help you find what you want, your Network Connect client will never query the DNS through the VPN.
Solution
Kill your ISP.
...oh and making this change might help:
Users
--> Resource Policies
--> Network Connect
Network Connect Access Control
--> Roles opened with Network Connect
--> Add your internal DNS to the resourcesNC Connection Profiles
--> Your NC Profile
--> DNS tab
--> change DNS search order FROM
Search the device's DNS servers first, then client
TO
search client dns first, then the device