Skip to main content
carabhavi
Staff
carabhavi
Staff
May 8, 2020

Technical Tip: Split DNS support for SSL VPN

  • May 8, 2020
  • 0 replies
  • 76093 views

Description


Split DNS for SSL VPN portals allows to specify which domains are resolved by the DNS server specified by the VPN, while all other domains are resolved by the DNS specified locally.

This article describes this feature.

 

Scope

 

FortiGate.


Solution


FortiClient receives this information when the client connects in tunnel mode.
FortiClient will push the DNS servers specified to the client’s computer, and all DNS requests will first attempt use this DNS server.
The FortiClient network driver will intercept DNS requests; if they match the split-dns listed, the DNS request will go across the tunnel and be resolved by the specified DNS servers.
If the domain does not match split-dns then the FortiClient network driver will respond to the DNS request with 'no such name', forcing the DNS request to be resolved by the physical adapter DNS.

 

Add the split DNS Servers IP address in split-tunneling-routing-address in the SSL VPN Web portal, and also create the Firewall policy allowing SSL VPN clients to connect to the split-dns servers.


Configure split DNS support for SSLVPN portals from CLI.

 

 
 config firewall address
     edit "SPLIT-DNS-SUBNET"
          set subnet 192.168.1.0 255.255.255.252
     next
end
 
config vpn ssl web portal
    edit <name>
        set split-tunneling enable
        set split-tunneling-routing-address "SPLIT-DNS-SUBNET"
            config split-dns
                edit <name>
                    set domains "abc.com,cde.com"
                    set dns-server1 192.168.1.1
                    set dns-server2 192.168.1.2
                    set ipv6-dns-server1 xxxxxxxxxxxx
                    set ipv6-dns-server2 xxxxxxxxxxxx
                next
            end
    next
end
 

Configure split DNS support for SSL VPN portals from the GUI.

 

 
WEB-PORTAL.png

 

Only the mentioned domain DNS query will be routed via an SSL tunnel.
Specifying the DNS server settings at the portal level overrides those at the global level.

If all SSL VPN portals have DNS settings configured, remove the DNS settings from the global SSL VPN settings and from the SSL VPN web portal.
 
config vpn ssl settings
    unset dns-server1
    unset dns-server2
end
 
config vpn ssl web portal
    edit "test"
        unset dns-server1
        unset dns-server2
end
 
Screenshot 2024-11-25 171636.png
 
Note:
When testing using the 'nslookup' command on the client computer, it is necessary to specify the IP address of the DNS server provided by the FortiGate; otherwise, it will only query the client system's DNS server. For example, nslookup abc.com 192.168.1.1.
 
To test if split DNS is using the tunnel/working correctly while performing a packet capture, instead of 'nslookup', use the 'ping' command to generate the DNS request: ping abc.com. This is important as 'nslookup' will not utilize the split tunnel and may not appear be working when testing.

Verification
Refer logs below, once the user connects to the SSL VPN user system, Ethernet adapter, and virtual adapter settings: 
 
cmd>ipconfig /all

Ethernet adapter Ethernet 4:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter  <--
Physical Address. . . . . . . . . : 00-09-0F-AA-00-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::daa6:e56b:356c:850f%34(Preferred)
IPv4 Address. . . . . . . . . . . : 10.24.10.1(Tentative)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 570427663
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2F-41-40-ED-00-70-68-6F-01-01
DNS Servers . . . . . . . . . . . : 8.8.8.8 <-- Client system DNS.
                                    192.168.1.1 <--                                    192.168.1.2 <-- SSL VPN adapter has both DNS (split DNS).
NetBIOS over Tcpip. . . . . . . . : Enabled


Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Ethernet Adapter
Physical Address. . . . . . . . . : 00-70-68-6F-01-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.29.6.50(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.192.0
Default Gateway . . . . . . . . . : 172.29.10.24
DNS Servers . . . . . . . . . . . : 8.8.8.8 <-- There is no change.
NetBIOS over Tcpip. . . . . . . . : Enabled

 

 
Wireshark packet capture from Virtual SSL VPN adapter : 

split dns working pcap.png

 

 
Debug Commands (SSL VPN):
 
diagnose debug reset
diagnose debug application sslvpn -1
diagnose debug application tvc -1 <-- For SSL VPN client.
diagnose debug application fnbamd -1 <-- For Remote user authentication debug command.
diagnose debug enable 

diagnose firewall auth list
get vpn ssl monitor
 
Note:
This feature is not supported in IOS and Android devices.
    Terms & ConditionsAccessibility statement