Description
This article describes how to split tunnel and split DNS work.
Scope
FortiOS 6.4.x onwards.
Solution
Consider the following scenario:
- The SSL VPN tunnel will route only the internal network, while all other network traffic including internet traffic will go through the ISP (Internet Service Provider). This is a split tunnel scenario.
- Only local domain requests will be forwarded to the local DNS Server, while all other domains will be forwarded through the ISP DNS server. This is a split DNS tunnel scenario.
See the documentation on How to configure split DNS.
User IP config on ethernet physical adapter:
Once the user is connected to the SSL VPN tunnel with the FortiClient application, the virtual adapter will appear as follows:
As shown above, the default gateway is blank, which means the split tunnel feature is enabled. The local DNS server address 192.168.99.254 has been added.
All destinations to subnet 192.168.0.0/16 will be routed through the gateway 10.212.134.201 (virtual adapter), while all other subnets will be routed through 192.168.1.1 (physical adapter). Make sure this local subnet, will cover the subnet of the local DNS server: 192.168.99.254.
Config example:
config vpn ssl web portaledit "full-access"
set tunnel-mode enable
set ipv6-tunnel-mode enable
set web-mode enable
set save-password enable
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set ipv6-pools "SSLVPN_TUNNEL_IPv6_ADDR1"
config bookmark-group
edit "gui-bookmarks"
next
end
config split-dns
edit 1
set domains "40gate.co.id,40net.id" <- hr.40gate.co.id, hr.40net.id - will be resolved by local DNS server.
set dns-server1 192.168.99.254
next
end
next
end
config firewall policy
edit 9
set name "ssl_vpn"
set uuid f8b17258-f0ff-51ed-7d3e-35d09de9fbf6
set srcintf "ssl.root"
set dstintf "root_dns0"
set action accept
set srcaddr "SSLVPN_TUNNEL_ADDR1"
set dstaddr "net_192.168.0.0/16"
set schedule "always"
set service "ALL"
set users "fortinet"
next
end
This is how the virtual adapter dictates when the DNS request is sent to the local DNS server or global/ISP DNS. The FortiClient adapter segregates which domain name has to be resolved to which DNS server at this stage.
Only the local domain name request is routed to the local DNS server.
25.274791 root_dns1 in 10.212.134.200.57396 -> 192.168.99.254.53: udp 33 <- User is routed to the local DNS server.
25.274949 root_dns1 out 192.168.99.254.53 -> 10.212.134.200.57396: udp 49
Note:
This feature is not currently supported on IOS and Android.
Tips:
- When troubleshooting DNS resolution issues, consider comparing the behavior between different operating systems. For example, it may work as intended with Windows 10 but not Windows 8, despite how the same FortiClient version is installed. This may occur due to the operating system driver. Open a FortiClient support ticket for further assistance.
- It is possible to opt to enable either split tunnel or split DNS only.
For example:
- If only split DNS is enabled, only local domain requests will be routed to the local DNS server, while the global domain will be routed to the global/ISP DNS server. All other traffic will be routed through the tunnel.
- If only split tunnel is enabled, there will be no separation between local and global domain requests, all will be resolved by the user-configured DNS server. The local network specified will be routed through the tunnel, while the rest traffic will be through ISP/Internet.
- If testing to ensure split DNS is working and the configured domain is going across the tunnel, do not rely on the nslookup command as this will not work. Instead, simply ping the domain and check if the DNS is resolved correctly.
