Hi community !
We have setup split DNS on our SSLVPN for our remote workers that works quite well.
All there requests to internal names are forwarded to our internal DNS servers via the tunnel, all "normal" requests are using the users public DNS. Fine, that's how it is supposed to work.
The problem is that when the client tries to update its DNS record on the AD DNS server (ie ipconfig /registerdns), the registration packets are not routed correctly to our internal servers. They are sent to the public DNS servers which, of course, refuse the registration request.
There are two consequences.
First the AD DNS is not correctly updated so remote workstations cannot be joined via there FQDN. That's already pretty bad because some of our processes require the workstations to be reached from devices inside our LAN.
Second, the interface tries very hard to register the DNS entry, and our windows log is spammed with DNS registration errors (event ID 8019, twice per second). The DNS Client is using form 10% to 25% of CPU on these workstations !
We tried to not use split DNS and to route all requests through the tunnel to our internal server, but the tunnel is very often not fast enough (remote workers often have connections with quite high latency). Therefore the system becomes very painful to use.
Another precision : the windows DNS Client is trying to register its DNS record on its main network interface (Ethernet or Wifi), which is fine when working from the office but not when working remotely. It is not trying to register its DNS record on the "Fortinet SSL VPN Virtual Ethernet Adapter" !
Is there anything I can do about this, or is this something that should be fixed in Forticlient ?
Thanks !
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @hbac
This did not help. I just connected this morning and my workstation's IP has not been updated in the internal DNS.
I still have the same error in the event log (8019). At least it's not happening twice per second but only once (I guess this might have been a windows bug).
BTW, why would this work if ipconfig /registerdns fails ? Does this registry key behaves differently than the "standard" registration ?
We used the FortiClient (EMS) and found that it breaks the Secure DynamicDNS Update process just by having the app installed on the PC.
FortiGate bug ID 0964456
Rel. https://community.fortinet.com/t5/Support-Forum/FortiClient-EMS-DNS-Dynamic-update-issue/m-p/279675
We currently use the free FortiClient VPN 7.2.2.0864, that does not habe the DNS issue.
You can test this by going to your DNS server, Zone properties, General Tab and permit unsecure "Dynamic updates".
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.