Skip to main content
raffaeledp
raffaeledp
Explorer III
November 14, 2024
Question

Custom DNS is not working with a VPN Client

  • November 14, 2024
  • 3 replies
  • 4888 views

Hello everybody, 

I'm working on a 60F Fortigate.

I have an internal domain called vpn.xxx.com. I set some custom DNS records to redirect the request to vpn.xxx.com to a specific machine. The interface we are working on is the Wi-Fi interface.

Screenshot 2024-11-13 alle 10.02.07.png 

From the picture, 192.168.1.1 is the router. So far, so good. Everything is working. My network settings are:

Screenshot 2024-11-13 alle 10.04.56.png

Screenshot 2024-11-13 alle 10.05.08.png

 

 If I ping vpn.xxx.com:

 10.1.0.1 replies correctly

 

Screenshot 2024-11-13 alle 10.04.23.png

 

Now I connect to a VPN Client. The network settings I showed before remain the same. The difference, now is that 10.1.0.1 is not the one ho replies to the ping. Now, 79.x.x.x replies to the ping:

Screenshot 2024-11-13 alle 10.14.27.png

and vpn.xxx.com is not reacheable anymore. Who is 79.x.x. x? Is the WAN interface of the Fortigate:

 

Screenshot 2024-11-13 alle 10.15.08.png

Now, you cou ld say that the problem is the VPN, that probably changes some DNS stuff. It could be right, but there is only one problem. If I disconnect from the Wi-Fi (on wich are set DNS custom records) and connect to my phone hotspot and to the VPN Client, vpn.xxx.com is reacheable again.

To the ping, 79.x.x.x replies correctly and vpn.xxx.com is correctly functioning.

What's happening? Thank you very much for your support!

 

 

 

 

3 replies

raffaeledp
raffaeledpAuthor
Explorer III
November 14, 2024

Just to be clear:

the only time that vpn.xxx.com is not reacheable is when I'm on the Wi-Fi and I have the VPN client turned on.

ebilcari
Staff
ebilcari
Staff
November 14, 2024

Indeed it seems like a DNS resolving issue, most probably after the VPN is connected, a public DNS server is used to resolve domains that's why you get the public A record. You can verify with nslookup command in the end host which DNS server is responding.

Is the VPN connected with the same FGT or to another device?

Emirjon
    raffaeledp
    raffaeledpAuthor
    Explorer III
    November 14, 2024

    this are the nslookup (the VPN client is on the device which is pinging vpn.xxx.com):

     

    Wi-Fi network without VPN (functioning):

     

    raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

    Server:    10.1.10.1

    Address:  10.1.10.1#53

     

    Name:  vpn.xxx.com

    Address: 10.1.0.1

     

    Hotspot (or any other network) network with VPN (functioning):

    raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

    Server: 10.20.10.115

    Address: 10.20.10.115#53

     

    Non-authoritative answer:

    Name: vpn.xxx.com

    Address: 79.9.x.x

     

    Hotspot (or any other network) without VPN (functioning):

    raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

    Server: 96.45.45.45

    Address: 96.45.45.45#53

     

    Non-authoritative answer:

    Name: vpn.xxx.com

    Address: 79.9.x.x

     

    Wi-Fi network with VPN (not functioning):

     

    raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

    Server:    10.20.10.115

    Address:  10.20.10.115#53

     

    Non-authoritative answer:

    Name:  vpn.xxx.com

    Address: 79.9.x.x

    ebilcari
    Staff
    ebilcari
    Staff
    November 14, 2024

    It appear that after the VPN is connected, the client is forced to use this DNS server: 10.20.10.115, that most probably forward the requests to a public DNS server that's why it responds with a public IP.
    Do you manage the network device that offer the VPN to this client?
    What is the final goal in this case, do you need the name resolution of 'vpn.xxx.com' to connect to a second VPN while still connected in the first VPN?

    Emirjon
      bakriwa5
      bakriwa5
      New Member
      November 14, 2024

      Usually with clients connecting to SSL VPN, they use whatever DNS servers your VPN gateway tells them to use. These servers should be specified somewhere in your client VPN configuration. The ISP cannot magically hijack your VPN clients' configuration and inject their own DNS server into your IP, you are giving this out to your clients somewhere along the chain

        raffaeledp
        raffaeledpAuthor
        Explorer III
        November 21, 2024

        Thanks for your reply. What I don't undestand is that in both cases, the dnslookup gives the same result, but if the vpn is on wifi, vpn.xxx.com is not reacheable.

        Terms & ConditionsAccessibility statement