Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

VictGarc1
New Contributor

Created on ‎03-24-2021 02:20 PM

DNS server with VPN-SSL

Hi community,

I have a question about DNS and VPN-SSL configuration.

Client side:
Win 10 with Forticlient

Fortigate side:
version 6.0
VPN-SSL tunnel mode
VPN-SSL general settings DNS "same as client side"
VPN-SSL portal with split tunneling
VPN-SSL portal set DNS1 - 10.20.30.40
VPN-SSL portal set DNS2 - 10.20.30.41
I have several portals.

I have several interfaces in Win 10 client , why when I connect to fortigate via forticlient  every interfaces have these DNS assigned as a first option?
for instance, I have assigned google DNS 8.8.8.8 and 8.8.4.4 in my Wireless NIC without forticlient connection,and when forticlient is connected I have these in this order.
dns 10.20.30.40
dns 10.20.30.41
dns 8.8.8.8
dns 8.8.4.4

I have no problems with my communications ,every connections are fine but I think that DNS 10.20.30.40 /10.20.30.41 must be only in fortivpnssl interface , I'm wrong?
and when I test with nslookup www.google.com the result is timeout but I can reach this web page I understand when dns query reach 8.8.8.8 or 8.8.4.4

Do you have an explanation ?

thanks in advance
Labels:
1574
0 Kudos
7 REPLIES 7
lbjust
New Contributor II

Created on ‎04-28-2021 12:50 PM

As far as I understand, with that, all your DNS traffic will be forwarded to the tunnel, which is the expected behavior for the VPN.

1538
0 Kudos
VictGarc1
New Contributor
In response to lbjust

Created on ‎04-28-2021 01:22 PM

Hi,

First of all,thanks for your reply.

I understand that I use forticlient-dns only for this interface but not for the rest,besides all traffic except DNS uses their interfaces.

I think that it is strange that if I ask for www.google.com which is out of the ssl tunnel DNS answer go through ssl tunnel but https answer use my wireless NIC.

To make the story short, all traffic to Internet should use my Wireless NIC and 8.8.8.8 / 8.8.4.4 DNS and my ssl traffic the other DNS 10.20.30.40 /10.20.30.41
I don't understand why forticlient put DNS servers in all of my NICs
1538
0 Kudos
lbjust
New Contributor II
In response to VictGarc1

Created on ‎04-28-2021 02:07 PM

DNS list goes top to bottom, so all your DNS queries go to 10.20.30.40. The other DNS options are only used if the first one does not reply.

Example:

If you try nslookup one.one.one.one, the server 10.20.30.40 will reply "1.1.1.1". With that information, now you are going to use your routing table to get to 1.1.1.1, which will be reachable through your wireless card, since you dont have 1.1.1.1 in the vpn split tunneling configuration.
1538
0 Kudos
VictGarc1
New Contributor

Created on ‎04-28-2021 02:43 PM

Yes ,I know,this works as you said.
But I don't understand the reason why I make a DNS configuration for only one interface fortivpnssl and this configuration applies in every interfaces of my laptop. I only want these DNS to resolve IP addresses inside ssl vpn. the other traffic have other DNS.

1538
0 Kudos
LestYang
New Contributor II
In response to VictGarc1

Created on ‎04-29-2021 08:37 AM

As Lucas mentioned, this is expected behavior for the VPN.  You can enable DNS split tunneling if you want to restrict certain lookups to use the VPN-specified DNS server:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD48421
1538
0 Kudos
VictGarc1
New Contributor
In response to LestYang

Created on ‎04-29-2021 09:25 AM

Yes Lester, I use split DNS / set DNS in portal to solve that. if this is expected behavior I don't like it. 
For instance, with other SSL-VPN (Juniper NC) DNS configuration only applies in its interface not for the rest. 
I have several interfaces in my laptop vmware adaptors, wired,and wireless cards ..... I don't like that for my fortigate ssl-vpn configuration all interfaces have the same DNS.
My goal is to put only DNS in one interface,fortisslvpn.... perhaps this is a behaviour of Windows OS that share DNS configurations with all NICs.

I will try to test in Linux client to see the difference

Thank you guys
1538
0 Kudos
LestYang
New Contributor II
In response to VictGarc1

Created on ‎04-29-2021 12:55 PM

It'll be interesting to see if it happens with Linux.  Keep us posted. 



1538
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.