Skip to main content
puzzopi
puzzopi
New Member
January 8, 2021
Question

VPN Remote Access with different access - DNS problem

  • January 8, 2021
  • 2 replies
  • 4570 views

Hi ,

I have a problem with dns resolution for vpn remote client.

Fortigate 900D, 6.2.6.

Forticlient version: 6.4.1.

Ex.: I have server A, server B and DNS server

I give different access to different people to have more security.

Peter can access only to A.

Frank can access only to B.

Paul can access all servers.

 

Paul can resolve name to IP, Peter and Frank cannot resolve.

If I add to Peter's and Frank's profile also the DNS server, they too can resolve.

But i wish Peter and Frank not to see the DNS Server.

 

In SSL-VPN Setting on the web interface of the firewall I insert the DNS server under :Tunnel Mode Client Settings.

 

Thanks in advance.

    2 replies

    rwpatterson
    rwpatterson
    New Member
    January 8, 2021

    Sorry, but I don't understand. You want them to resolve but not 'see' the DNS server. What do you mean by not see?

    puzzopi
    puzzopiAuthor
    New Member
    January 8, 2021

    I mean that I don't want them to know it exists.

    The DNS server is also the Domain Controller...It could happen that it could also be the file server...

     

    Ok, Peter e Frank (external tech) don't have password to access to DNS/file server...

    but I would like that with an IP scan, outsiders can only see the hosts that I have decided for therm.

    It's possible to give to external tech in vpn, only access to the hosts that I have decided and also to dns server but only on port 53?

    Thanks

    rwpatterson
    rwpatterson
    New Member
    January 8, 2021

    If you only permit port 53 for these guys, that's the only way they can touch that server. They can't PING, HTTP, samba, or anything else. Just get DNS queries if that is the only thing you permit in the policy.

    puzzopi
    puzzopiAuthor
    New Member
    January 15, 2021

    OK,

    to do it how should I do?

    Is there a smart way? I have 4 different Policy to give vpn access to different people.

     

    I add another IPv4 Policy per any vpn access that give access to dns server with dns service?

    I tried to create a new service that give access to DNS server on port 53 but doesn't work.

     

    Tnx

    Terms & ConditionsAccessibility statement