Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
raffaeledp
Contributor

Created on ‎11-14-2024 12:22 AM

Custom DNS is not working with a VPN Client

Hello everybody, 

I'm working on a 60F Fortigate.

I have an internal domain called vpn.xxx.com. I set some custom DNS records to redirect the request to vpn.xxx.com to a specific machine. The interface we are working on is the Wi-Fi interface.

Screenshot 2024-11-13 alle 10.02.07.png

From the picture, 192.168.1.1 is the router. So far, so good. Everything is working. My network settings are:

Screenshot 2024-11-13 alle 10.04.56.png

Screenshot 2024-11-13 alle 10.05.08.png

 If I ping vpn.xxx.com:

 10.1.0.1 replies correctly

 

Screenshot 2024-11-13 alle 10.04.23.png

 

Now I connect to a VPN Client. The network settings I showed before remain the same. The difference, now is that 10.1.0.1 is not the one ho replies to the ping. Now, 79.x.x.x replies to the ping:

Screenshot 2024-11-13 alle 10.14.27.png

and vpn.xxx.com is not reacheable anymore. Who is 79.x.x. x? Is the WAN interface of the Fortigate:

 

Screenshot 2024-11-13 alle 10.15.08.png

Now, you cou ld say that the problem is the VPN, that probably changes some DNS stuff. It could be right, but there is only one problem. If I disconnect from the Wi-Fi (on wich are set DNS custom records) and connect to my phone hotspot and to the VPN Client, vpn.xxx.com is reacheable again.

To the ping, 79.x.x.x replies correctly and vpn.xxx.com is correctly functioning.

What's happening? Thank you very much for your support!

 

 

 

RDP
RDP
Labels:
431
0 Kudos
7 REPLIES 7
raffaeledp
Contributor

Created on ‎11-14-2024 12:24 AM

Just to be clear:

the only time that vpn.xxx.com is not reacheable is when I'm on the Wi-Fi and I have the VPN client turned on.

RDP
RDP
427
0 Kudos
ebilcari
Staff
Staff

Created on ‎11-14-2024 01:23 AM

Indeed it seems like a DNS resolving issue, most probably after the VPN is connected, a public DNS server is used to resolve domains that's why you get the public A record. You can verify with nslookup command in the end host which DNS server is responding.

Is the VPN connected with the same FGT or to another device?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
397
raffaeledp
Contributor
In response to ebilcari

Created on ‎11-14-2024 01:45 AM

this are the nslookup (the VPN client is on the device which is pinging vpn.xxx.com):

 

Wi-Fi network without VPN (functioning):

 

raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

Server:    10.1.10.1

Address:  10.1.10.1#53

 

Name:  vpn.xxx.com

Address: 10.1.0.1

 

Hotspot (or any other network) network with VPN (functioning):

raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

Server: 10.20.10.115

Address: 10.20.10.115#53

 

Non-authoritative answer:

Name: vpn.xxx.com

Address: 79.9.x.x

 

Hotspot (or any other network) without VPN (functioning):

raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

Server: 96.45.45.45

Address: 96.45.45.45#53

 

Non-authoritative answer:

Name: vpn.xxx.com

Address: 79.9.x.x

 

Wi-Fi network with VPN (not functioning):

 

raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

Server:    10.20.10.115

Address:  10.20.10.115#53

 

Non-authoritative answer:

Name:  vpn.xxx.com

Address: 79.9.x.x

RDP
RDP
381
0 Kudos
ebilcari
Staff
Staff
In response to raffaeledp

Created on ‎11-14-2024 02:00 AM

It appear that after the VPN is connected, the client is forced to use this DNS server: 10.20.10.115, that most probably forward the requests to a public DNS server that's why it responds with a public IP.
Do you manage the network device that offer the VPN to this client?
What is the final goal in this case, do you need the name resolution of 'vpn.xxx.com' to connect to a second VPN while still connected in the first VPN?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
371
raffaeledp
Contributor
In response to ebilcari

Created on ‎11-14-2024 02:32 AM

 

 

 

Thanks for your reply,

the goal is to obtain the same behavior from the Wi-Fi network and from the Hotspot network. 

The problem is that the VPN is causing problem only on the Wi-Fi network.

If I look at the two dnslookup, they look the same:

 

 

Hotspot (or any other network) network with VPN (functioning):

raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

Server: 10.20.10.115

Address: 10.20.10.115#53

 

Non-authoritative answer:

Name: vpn.xxx.com

Address: 79.9.x.x

 

Wi-Fi network with VPN (not functioning):

 

raffaeledipascale@MacBook-Pro-DiPascale ~ % nslookup vpn.xxx.com

Server:    10.20.10.115

Address:  10.20.10.115#53

 

Non-authoritative answer:

Name:  vpn.xxx.com

Address: 79.9.x.x

 

 

I cannot manage the device that is offering VPN access service. The client is Cisco Secure Connect.

How is that possibile that the same dnslookup works in the first case but not in the second case?

 

 

 

 

RDP
RDP
358
0 Kudos
ebilcari
Staff
Staff
In response to raffaeledp

Created on ‎11-14-2024 03:12 AM

After the VPN is connected, verify the routing table of the end host on how the public IP is reachable 79.9.x.x (full or split tunnel).
In case the VPN is in split tunnel mode and the host is connected to the WiFi provided by the same FGT, FGT may drop the packets that are coming from the WiFi interface (internal) towards its WAN interface.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
341
bakriwa5
New Contributor

Created on ‎11-14-2024 03:07 AM

Usually with clients connecting to SSL VPN, they use whatever DNS servers your VPN gateway tells them to use. These servers should be specified somewhere in your client VPN configuration. The ISP cannot magically hijack your VPN clients' configuration and inject their own DNS server into your IP, you are giving this out to your clients somewhere along the chain.

346
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.