IPsec/SSL VPN

Expand all | Collapse all

DNS server with VPN-SSL

  • 1.  DNS server with VPN-SSL

    Posted Mar 24, 2021 02:20 PM
    Hi community,

    I have a question about DNS and VPN-SSL configuration.

    Client side:
    Win 10 with Forticlient

    Fortigate side:
    version 6.0
    VPN-SSL tunnel mode
    VPN-SSL general settings DNS "same as client side"
    VPN-SSL portal with split tunneling
    VPN-SSL portal set DNS1 - 10.20.30.40
    VPN-SSL portal set DNS2 - 10.20.30.41
    I have several portals.

    I have several interfaces in Win 10 client , why when I connect to fortigate via forticlient  every interfaces have these DNS assigned as a first option?
    for instance, I have assigned google DNS 8.8.8.8 and 8.8.4.4 in my Wireless NIC without forticlient connection,and when forticlient is connected I have these in this order.
    dns 10.20.30.40
    dns 10.20.30.41
    dns 8.8.8.8
    dns 8.8.4.4

    I have no problems with my communications ,every connections are fine but I think that DNS 10.20.30.40 /10.20.30.41 must be only in fortivpnssl interface , I'm wrong?
    and when I test with nslookup www.google.com the result is timeout but I can reach this web page I understand when dns query reach 8.8.8.8 or 8.8.4.4

    Do you have an explanation ?

    thanks in advance


  • 2.  RE: DNS server with VPN-SSL

    Posted 13 days ago
    As far as I understand, with that, all your DNS traffic will be forwarded to the tunnel, which is the expected behavior for the VPN.




  • 3.  RE: DNS server with VPN-SSL

    Posted 13 days ago
    Hi,

    First of all,thanks for your reply.

    I understand that I use forticlient-dns only for this interface but not for the rest,besides all traffic except DNS uses their interfaces.

    I think that it is strange that if I ask for www.google.com which is out of the ssl tunnel DNS answer go through ssl tunnel but https answer use my wireless NIC.

    To make the story short, all traffic to Internet should use my Wireless NIC and 8.8.8.8 / 8.8.4.4 DNS and my ssl traffic the other DNS 10.20.30.40 /10.20.30.41
    I don't understand why forticlient put DNS servers in all of my NICs


  • 4.  RE: DNS server with VPN-SSL

    Posted 13 days ago
    DNS list goes top to bottom, so all your DNS queries go to 10.20.30.40. The other DNS options are only used if the first one does not reply.

    Example:

    If you try nslookup one.one.one.one, the server 10.20.30.40 will reply "1.1.1.1". With that information, now you are going to use your routing table to get to 1.1.1.1, which will be reachable through your wireless card, since you dont have 1.1.1.1 in the vpn split tunneling configuration.


  • 5.  RE: DNS server with VPN-SSL

    Posted 13 days ago
    Yes ,I know,this works as you said.
    But I don't understand the reason why I make a DNS configuration for only one interface fortivpnssl and this configuration applies in every interfaces of my laptop. I only want these DNS to resolve IP addresses inside ssl vpn. the other traffic have other DNS.




  • 6.  RE: DNS server with VPN-SSL

    Posted 12 days ago
    As Lucas mentioned, this is expected behavior for the VPN.  You can enable DNS split tunneling if you want to restrict certain lookups to use the VPN-specified DNS server:
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD48421


  • 7.  RE: DNS server with VPN-SSL

    Posted 12 days ago
    Yes Lester, I use split DNS / set DNS in portal to solve that. if this is expected behavior I don't like it. 
    For instance, with other SSL-VPN (Juniper NC) DNS configuration only applies in its interface not for the rest. 
    I have several interfaces in my laptop vmware adaptors, wired,and wireless cards ..... I don't like that for my fortigate ssl-vpn configuration all interfaces have the same DNS.
    My goal is to put only DNS in one interface,fortisslvpn.... perhaps this is a behaviour of Windows OS that share DNS configurations with all NICs.

    I will try to test in Linux client to see the difference

    Thank you guys


  • 8.  RE: DNS server with VPN-SSL

    Posted 12 days ago

    It'll be interesting to see if it happens with Linux.  Keep us posted.