Purpose
This article explains how to overcome the DNS resolver issue with the newest Mac OS 10.11 El-Captian when using SSLVPN.
Mac OS X 10.11 introduced a new software issue in the DNS resolver. If there are two network interfaces (such as one ethernet and one WiFi), traffic may be routed into one of the interfaces, while the source IP address is set to the other interface. This flaw impacts FortiClient users when using split tunnel VPN connections.
Expectations, Requirements
Split tunneling and FortiClient should work with Mac OS X 10.11, El-Capitan without any issue.
Configuration
The DNS resolution works differently between iOS and Android.
In Android: once the VPN tunnel is established all the DNS requests are redirected to the internal DNS.
In iOS: once the VPN tunnel is established only the DNS requests with the tunnel DNS suffix are redirected to the internal DNS.
Troubleshooting
Users encountering this issue on Mac OS X 10.11 may:
- Use a public DNS, so that all DNS traffic goes through the public interface.
- Use full VPN tunnels.
- Downgrade to FortiClient 5.2.5.
