FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to resolve an issue with a DNS server hosted on the other side of a firewall and connected via a tunnel where the local domain does not resolve.
Scope
FortiGate.
Solution
Scenario:
Although the DNS server was reachable (pingable) across the tunnel, the domain was still not resolving.
Upon investigation using a packet sniffer, it was observed that DNS requests were being routed through the WAN port instead of the VPN tunnel.
Further analysis revealed that there was a policy route in place directing DNS traffic through the WAN interface, bypassing the intended tunnel path.
A debug flow will be able to show you exactly what is happening to the packet, as long as it is entering the FortiGate. The commands that would be able to solve this issue are as follows:
diagnose de res
diagnose de flow filter addr x.x.x.x diagnose de flow filter port 53
To resolve the issue, update the existing policy route to direct DNS traffic through the VPN tunnel instead of the WAN interface. After re-configuring the policy route, the local domain will start resolving correctly, confirming that the traffic is being routed through the correct path via the VPN tunnel.
