FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff
Article Id 194766

Description


Split DNS for SSL VPN portals allows to specify which domains are resolved by the DNS server specified by the VPN, while all other domains are resolved by the DNS specified locally.

This article describes this feature.

 

Scope

 

FortiGate.


Solution


FortiClient receives this information when the client connects in tunnel mode.
FortiClient will push the DNS servers specified to the client’s computer and all DNS requests will first attempt use this DNS server.
The FortiClient network driver will intercept DNS requests; if they match the split-dns listed, the DNS request will go across the tunnel and be resolved by the specified DNS servers.

If the domain does not match split-dns then the FortiClient network driver will respond to the DNS request with 'no such name' forcing the DNS request to be resolved by the physical adapter DNS.

 

Add the split DNS Servers IP address in split-tunneling-routing-address in the SSL VPN Web portal and also create the Firewall policy allowing SSL VPN clients to connect to the split-dns servers.


Configure split DNS support for SSLVPN portals from CLI.

 

 
 config firewall address
     edit "SPLIT-DNS-SUBNET"
          set subnet 192.168.1.0 255.255.255.252
     next
end
 
config vpn ssl web portal
    edit <name>
        set split-tunneling enable
        set split-tunneling-routing-address "SPLIT-DNS-SUBNET"
         config split-dns
            edit <name>
                set domains "abc.com,cde.com"
                set dns-server1 192.168.1.1
                set dns-server2 192.168.1.2
                set ipv6-dns-server1 xxxxxxxxxxxx
                set ipv6-dns-server2 xxxxxxxxxxxx
            next
        end
    next
end
 

Configure split DNS support for SSLVPN portals from GUI.

 

 
WEB-PORTAL.png

 
Only the mentioned domain DNS query will be routed via SSL tunnel.
 
Note:
When testing using 'nslookup' command on the client computer, it is necessary to specify an IP address of the DNS server provided by the FortiGate otherwise, it will only query the client system DNS server. For example nslookup abc.com 192.168.1.1.
 
Note:
This feature is not supported in IOS  and Android devices.