Hello everyone,How can I configure FortiClient VPN (full-tunnel mode) to:Use internal DNS server (e.g. 192.168.1.x) for resolving internal domain names onlyUse public DNS (8.8.8.8) for all external domain queriesAvoid the current 6+second delay caused by failed DNS resolution attempts to internal DNSCurrently, all DNS queries first try the internal DNS server before failing over to 8.8.8.8, causing noticeable delays. I want to maintain full-tunnel mode for security but need more efficient DNS resolution.I am attaching screenshot an nslookup and the tunnel configuration so you guys have a clearer understanding and hopefully can help me.

Visitor III

Solved

IPsec IKEv2 Dial-up DNS issues

Forum|Forum|1 year ago
January 6, 2025
1 reply
4409 views

Hello everyone,
How can I configure FortiClient VPN (full-tunnel mode) to:

Use internal DNS server (e.g. 192.168.1.x) for resolving internal domain names only
Use public DNS (8.8.8.8) for all external domain queries
Avoid the current 6+second delay caused by failed DNS resolution attempts to internal DNS

Currently, all DNS queries first try the internal DNS server before failing over to 8.8.8.8, causing noticeable delays. I want to maintain full-tunnel mode for security but need more efficient DNS resolution.

I am attaching screenshot an nslookup and the tunnel configuration so you guys have a clearer understanding and hopefully can help me.

Best answer by AEK

Hi Iulian

You need to configure split DNS, which is supported for IKEv2 starting fro FOS 7.2.3.

https://docs.fortinet.com/document/forticlient/7.2.0/new-features/634537/split-dns-support-for-ipsec-vpn-7-2-3

Hope it helps.

AEKAnswer

SuperUser

Hi Iulian

You need to configure split DNS, which is supported for IKEv2 starting fro FOS 7.2.3.

https://docs.fortinet.com/document/forticlient/7.2.0/new-features/634537/split-dns-support-for-ipsec-vpn-7-2-3

Hope it helps.

AEK

iulianAuthor

Visitor III

Thank you sir.

I have tried this earlier but it did not work for me.

It seems that I was missing an important step that is mentioned in the following KB.

https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/836965/ipsec-split-dns

After configuring the "internal-domain-list", and the DNS server that will resolve local names. I also enabled "Local LAN" in the FortiClient tunnel config.

Now names that are part of the internal domain list are forwarded to my local DNS server. The rest are resolved using the DNS server configured on the network card of the user's computer.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded