Skip to main content
jokes54321
jokes54321
New Member
October 3, 2020
Solved

Wrong DNS Server used by random clients

  • October 3, 2020
  • 1 reply
  • 14264 views

We've been using Fortigate and FortiClient managed by EMS for many years now. The Fortigate is currently on 6.0.10 and the FortiClients vary from 6.0.5 to 6.0.10. We have several hundred VPN users and most work without issues.

 

We've had a couple of users now report they cannot access internal resources. When we check the client, we find they can reach the host by IP, but it appears Windows isn't using the internal DNS server to resolve the host name. If we open a command prompt and type NSLookup, it connects to the internal DNS server we have defined in the SSLVPN settings. We confirmed the DNS suffix is also configured in the Fortigate SSLVPN configuration.

 

The large majority of clients work, but it seems the list of users having issues resolving internal hosts by name is slowly growing. I'm not sure if a Windows update has suddenly caused this to start, but I am looking to the community for some suggestions?

 

Denny

    Best answer by jokes54321

    We believe we tracked this issue down. We discovered the clients having issues were using IPV6 and learned about this feature in Windows call "Smart Multi-Homed Name Resolution". It sounds like Windows will forward a DNS query to both the IPV6 and IPV4 DNS servers and use the first response.

     

    We added a regkey to disable the parallel queries and the issue cleared.

     

     

    Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

    [ul]
  • If the Dword value DisableParallelAandAAAA  exists already, make sure its value is set to 1.
  • If the value does not exist, right-click on Parameters, and select New > Dword (32-bit) Value.
  • Name it DisableParallelAandAAAA.
  • Set the value of the Dword to 1. You can turn the feature back on by setting the value to 0, or by deleting the value.[/ul]

     

    Denny

    • 1 reply

    jokes54321
    jokes54321AuthorAnswer
    New Member
    October 6, 2020

    We believe we tracked this issue down. We discovered the clients having issues were using IPV6 and learned about this feature in Windows call "Smart Multi-Homed Name Resolution". It sounds like Windows will forward a DNS query to both the IPV6 and IPV4 DNS servers and use the first response.

     

    We added a regkey to disable the parallel queries and the issue cleared.

     

     

    Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

    [ul]
  • If the Dword value DisableParallelAandAAAA  exists already, make sure its value is set to 1.
  • If the value does not exist, right-click on Parameters, and select New > Dword (32-bit) Value.
  • Name it DisableParallelAandAAAA.
  • Set the value of the Dword to 1. You can turn the feature back on by setting the value to 0, or by deleting the value.[/ul]

     

    Denny

      • Pascallozz
      Pascallozz
      New Member
      June 14, 2021

      I had the same problem. But with this solution you don't have to adjust regedit. 

       

      The way to fix this is using the cli, since you do not have that option in the webinterface. 

       

      Start the cli

      [ul]
    • config vpn ipsec phase1-interface
    • edit <VPN NAME>
    • set dns manual
    • set ipv4-dns-server1 x.x.x.x (your local dns server)
    • set ipv4-dns-server2 x.x.x.x (your secondary dns server)
    • set domain yourdomain.local
    • end[/ul]

      Reconnect the vpn and you will see that you now have the correct ip address information.

       

      Cheers

      • Terms & ConditionsAccessibility statement