Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jokes54321
New Contributor III

Wrong DNS Server used by random clients

We've been using Fortigate and FortiClient managed by EMS for many years now. The Fortigate is currently on 6.0.10 and the FortiClients vary from 6.0.5 to 6.0.10. We have several hundred VPN users and most work without issues.

 

We've had a couple of users now report they cannot access internal resources. When we check the client, we find they can reach the host by IP, but it appears Windows isn't using the internal DNS server to resolve the host name. If we open a command prompt and type NSLookup, it connects to the internal DNS server we have defined in the SSLVPN settings. We confirmed the DNS suffix is also configured in the Fortigate SSLVPN configuration.

 

The large majority of clients work, but it seems the list of users having issues resolving internal hosts by name is slowly growing. I'm not sure if a Windows update has suddenly caused this to start, but I am looking to the community for some suggestions?

 

Denny

1 Solution
jokes54321
New Contributor III

We believe we tracked this issue down. We discovered the clients having issues were using IPV6 and learned about this feature in Windows call "Smart Multi-Homed Name Resolution". It sounds like Windows will forward a DNS query to both the IPV6 and IPV4 DNS servers and use the first response.

 

We added a regkey to disable the parallel queries and the issue cleared.

 

 

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

[ul]
  • If the Dword value DisableParallelAandAAAA  exists already, make sure its value is set to 1.
  • If the value does not exist, right-click on Parameters, and select New > Dword (32-bit) Value.
  • Name it DisableParallelAandAAAA.
  • Set the value of the Dword to 1. You can turn the feature back on by setting the value to 0, or by deleting the value.[/ul]

     

    Denny

  • View solution in original post

    3 REPLIES 3
    jokes54321
    New Contributor III

    We believe we tracked this issue down. We discovered the clients having issues were using IPV6 and learned about this feature in Windows call "Smart Multi-Homed Name Resolution". It sounds like Windows will forward a DNS query to both the IPV6 and IPV4 DNS servers and use the first response.

     

    We added a regkey to disable the parallel queries and the issue cleared.

     

     

    Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

    [ul]
  • If the Dword value DisableParallelAandAAAA  exists already, make sure its value is set to 1.
  • If the value does not exist, right-click on Parameters, and select New > Dword (32-bit) Value.
  • Name it DisableParallelAandAAAA.
  • Set the value of the Dword to 1. You can turn the feature back on by setting the value to 0, or by deleting the value.[/ul]

     

    Denny

  • Pascallozz

    I had the same problem. But with this solution you don't have to adjust regedit. 

     

    The way to fix this is using the cli, since you do not have that option in the webinterface. 

     

    Start the cli

    [ul]
  • config vpn ipsec phase1-interface
  • edit <VPN NAME>
  • set dns manual
  • set ipv4-dns-server1 x.x.x.x (your local dns server)
  • set ipv4-dns-server2 x.x.x.x (your secondary dns server)
  • set domain yourdomain.local
  • end[/ul]

    Reconnect the vpn and you will see that you now have the correct ip address information.

     

    Cheers

  • Pascallozz

    I had the same problem , here is how i solved it: 

     

    https://kb.fortinet.com/kb/documentLink.do?externalID=FD37484