Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff

Created on ‎05-07-2020 11:38 PM Edited on ‎08-30-2024 04:19 AM By Moderator

Article Id 194766

Technical Tip: Split DNS support for SSL VPN

Description


Split DNS for SSL VPN portals allows to specify which domains are resolved by the DNS server specified by the VPN, while all other domains are resolved by the DNS specified locally.

This article describes this feature.

 

Scope

 

FortiGate.


Solution


FortiClient receives this information when the client connects in tunnel mode.
FortiClient will push the DNS servers specified to the client’s computer and all DNS requests will first attempt use this DNS server.
The FortiClient network driver will intercept DNS requests; if they match the split-dns listed, the DNS request will go across the tunnel and be resolved by the specified DNS servers.
If the domain does not match split-dns then the FortiClient network driver will respond to the DNS request with 'no such name' forcing the DNS request to be resolved by the physical adapter DNS.

 

Add the split DNS Servers IP address in split-tunneling-routing-address in the SSL VPN Web portal and also create the Firewall policy allowing SSL VPN clients to connect to the split-dns servers.


Configure split DNS support for SSLVPN portals from CLI.

 

 
 config firewall address
     edit "SPLIT-DNS-SUBNET"
          set subnet 192.168.1.0 255.255.255.252
     next
end
 
config vpn ssl web portal
    edit <name>
        set split-tunneling enable
        set split-tunneling-routing-address "SPLIT-DNS-SUBNET"
         config split-dns
            edit <name>
                set domains "abc.com,cde.com"
                set dns-server1 192.168.1.1
                set dns-server2 192.168.1.2
                set ipv6-dns-server1 xxxxxxxxxxxx
                set ipv6-dns-server2 xxxxxxxxxxxx
            next
        end
    next
end
 

Configure split DNS support for SSLVPN portals from GUI.

 

 
WEB-PORTAL.png

 
Only the mentioned domain DNS query will be routed via SSL tunnel.
 
Note:
When testing using 'nslookup' command on the client computer, it is necessary to specify an IP address of the DNS server provided by the FortiGate otherwise, it will only query the client system DNS server. For example nslookup abc.com 192.168.1.1.
To test if split DNS is using the tunnel/working correctly while performing a packet capture, instead of 'nslookup', use the 'ping' command instead to generated the DNS request: ping abc.com. This is important as 'nslookup' will not utilize the split tunnel and can appear not be working when testing.
 
Note:
This feature is not supported in IOS and Android devices.
57567
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.