Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS server with VPN-SSL
Hi community,
I have a question about DNS and VPN-SSL configuration.
Client side:
Win 10 with Forticlient
Fortigate side:
version 6.0
VPN-SSL tunnel mode
VPN-SSL general settings DNS "same as client side"
VPN-SSL portal with split tunneling
VPN-SSL portal set DNS1 - 10.20.30.40
VPN-SSL portal set DNS2 - 10.20.30.41
I have several portals.
I have several interfaces in Win 10 client , why when I connect to fortigate via forticlient every interfaces have these DNS assigned as a first option?
for instance, I have assigned google DNS 8.8.8.8 and 8.8.4.4 in my Wireless NIC without forticlient connection,and when forticlient is connected I have these in this order.
dns 10.20.30.40
dns 10.20.30.41
dns 8.8.8.8
dns 8.8.4.4
I have no problems with my communications ,every connections are fine but I think that DNS 10.20.30.40 /10.20.30.41 must be only in fortivpnssl interface , I'm wrong?
and when I test with nslookup www.google.com the result is timeout but I can reach this web page I understand when dns query reach 8.8.8.8 or 8.8.4.4
Do you have an explanation ?
thanks in advance
I have a question about DNS and VPN-SSL configuration.
Client side:
Win 10 with Forticlient
Fortigate side:
version 6.0
VPN-SSL tunnel mode
VPN-SSL general settings DNS "same as client side"
VPN-SSL portal with split tunneling
VPN-SSL portal set DNS1 - 10.20.30.40
VPN-SSL portal set DNS2 - 10.20.30.41
I have several portals.
I have several interfaces in Win 10 client , why when I connect to fortigate via forticlient every interfaces have these DNS assigned as a first option?
for instance, I have assigned google DNS 8.8.8.8 and 8.8.4.4 in my Wireless NIC without forticlient connection,and when forticlient is connected I have these in this order.
dns 10.20.30.40
dns 10.20.30.41
dns 8.8.8.8
dns 8.8.4.4
I have no problems with my communications ,every connections are fine but I think that DNS 10.20.30.40 /10.20.30.41 must be only in fortivpnssl interface , I'm wrong?
and when I test with nslookup www.google.com the result is timeout but I can reach this web page I understand when dns query reach 8.8.8.8 or 8.8.4.4
Do you have an explanation ?
thanks in advance
Labels:
- Labels:
-
vpn
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I understand, with that, all your DNS traffic will be forwarded to the tunnel, which is the expected behavior for the VPN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
First of all,thanks for your reply.
I understand that I use forticlient-dns only for this interface but not for the rest,besides all traffic except DNS uses their interfaces.
I think that it is strange that if I ask for www.google.com which is out of the ssl tunnel DNS answer go through ssl tunnel but https answer use my wireless NIC.
To make the story short, all traffic to Internet should use my Wireless NIC and 8.8.8.8 / 8.8.4.4 DNS and my ssl traffic the other DNS 10.20.30.40 /10.20.30.41
I don't understand why forticlient put DNS servers in all of my NICs
First of all,thanks for your reply.
I understand that I use forticlient-dns only for this interface but not for the rest,besides all traffic except DNS uses their interfaces.
I think that it is strange that if I ask for www.google.com which is out of the ssl tunnel DNS answer go through ssl tunnel but https answer use my wireless NIC.
To make the story short, all traffic to Internet should use my Wireless NIC and 8.8.8.8 / 8.8.4.4 DNS and my ssl traffic the other DNS 10.20.30.40 /10.20.30.41
I don't understand why forticlient put DNS servers in all of my NICs
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DNS list goes top to bottom, so all your DNS queries go to 10.20.30.40. The other DNS options are only used if the first one does not reply.
Example:
If you try nslookup one.one.one.one, the server 10.20.30.40 will reply "1.1.1.1". With that information, now you are going to use your routing table to get to 1.1.1.1, which will be reachable through your wireless card, since you dont have 1.1.1.1 in the vpn split tunneling configuration.
Example:
If you try nslookup one.one.one.one, the server 10.20.30.40 will reply "1.1.1.1". With that information, now you are going to use your routing table to get to 1.1.1.1, which will be reachable through your wireless card, since you dont have 1.1.1.1 in the vpn split tunneling configuration.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes ,I know,this works as you said.
But I don't understand the reason why I make a DNS configuration for only one interface fortivpnssl and this configuration applies in every interfaces of my laptop. I only want these DNS to resolve IP addresses inside ssl vpn. the other traffic have other DNS.
But I don't understand the reason why I make a DNS configuration for only one interface fortivpnssl and this configuration applies in every interfaces of my laptop. I only want these DNS to resolve IP addresses inside ssl vpn. the other traffic have other DNS.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As Lucas mentioned, this is expected behavior for the VPN. You can enable DNS split tunneling if you want to restrict certain lookups to use the VPN-specified DNS server:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD48421
https://kb.fortinet.com/kb/documentLink.do?externalID=FD48421
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes Lester, I use split DNS / set DNS in portal to solve that. if this is expected behavior I don't like it.
For instance, with other SSL-VPN (Juniper NC) DNS configuration only applies in its interface not for the rest.
I have several interfaces in my laptop vmware adaptors, wired,and wireless cards ..... I don't like that for my fortigate ssl-vpn configuration all interfaces have the same DNS.
My goal is to put only DNS in one interface,fortisslvpn.... perhaps this is a behaviour of Windows OS that share DNS configurations with all NICs.
I will try to test in Linux client to see the difference
Thank you guys
For instance, with other SSL-VPN (Juniper NC) DNS configuration only applies in its interface not for the rest.
I have several interfaces in my laptop vmware adaptors, wired,and wireless cards ..... I don't like that for my fortigate ssl-vpn configuration all interfaces have the same DNS.
My goal is to put only DNS in one interface,fortisslvpn.... perhaps this is a behaviour of Windows OS that share DNS configurations with all NICs.
I will try to test in Linux client to see the difference
Thank you guys
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It'll be interesting to see if it happens with Linux. Keep us posted.
