Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sjoshi
Staff
Staff

Created on ‎10-11-2023 11:47 PM

Article Id 278600

Technical Tip: SSL VPN User DNS Suffix Configuration Causes Hostname Resolution Issues

Description

 

This article describes that the DNS suffix is configured for the SSL VPN user, it is possible to have an issue when trying to resolve the hostname instead of FQDN.

 

Scope

 

FortiGate.

 

Solution

 

Example:

To resolve certain internal URLs after connecting SSL VPN for Windows, and IOS users, most of the servers are hosted with hostname so domain users will be accessing those servers with the hostname and not the FQDN.

 

Mention the internal DNS under DNS server settings under SSL VPN settings.

 

For IOS users:

If the split tunnel is configured, only DNS requests that match DNS suffixes use the DNS servers configured in the VPN. Due to iOS limitations, the DNS suffixes are not used for search as in Windows. Using short (not the fully qualified domain name (FQDN)) names may not be possible:
Features

 

Since the DNS Suffix is configured:

The DNS suffix fiori.greatshipglobal.com

 

Now to resolve the FQDN fiori.greatshipglobal.com from IOS/windows it works fine, but when trying to resolve the hostname GILMUM01 it does not work.

If the whole FQDN GILMUM01.greatship.local is put, then it gets resolved properly.

In this case, GILMUM01 is the hostname and greatship. local is the domain name.

 

When the DNS suffix is removed from the Windows machine(domain user), the hostname works fine

It is possible to resolve GILMUM01 to the correct IP address without the DNS suffix.

 

The PCAP is as below when DNS suffix is added:

 

dns.PNG

  

From the PCAP, when the user sends the DNS query by entering the hostname only, it takes the domain from the list of DNS suffixes configured under SSL VPN settings.

Now the correct FQDN is GILMUM01.greatship.local but due to the DNS suffix now the FQDN is GILMUM01.fiori.greatshipglobal.com which is not the correct FQDN and the DNS server is not able to resolve it to the correct IP address.

So when the DNS suffix is configured and trying to use only hostname then it will by default take the domain from the DNS suffix list (first domain).

 

To address this issue, configure the DNS suffix as below:

  • DNS suffix as greatship.local;fiori.greatshipglobal.com;(other_domain).
  • The first one on the list should always be the correct domain for those hostnames.
  • Post that the hostname will work.
2066
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.