Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Dealing with DNS server and DNS suffix being set b...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dealing with DNS server and DNS suffix being set by third party FortiGate server
We are required to access a third party service via a FortiClient VPN connection to their FortiGate-managed network. Their configuration is (unintentionally) hostile to our AD-managed LAN, pushing things like a default route that is blackholed, dns servers that either don't respond or spoof answers, interface metric 1 to give them priority over ours, and dns suffixes that override our primary suffix. This causes our workstations to lose contact with AD, unable to resolve server and printer names, and eventually drop out of the domain.
In the past I have been able to set countermeasures against most of those using a combination of FortiClient XML config settings and windows policies. The third party service doesn't use or need DNS names, so the easiest way was to prevent things from being set. But with the current version, I have trouble with the following:
1. DNS servers are being set on the SSL VPN adapter interface. Together with Metric=1, this causes the dns servers to become the 'most preferred' / default, and all queries will first go to them. Not only does this result in an information leak, the servers can also do spoofing or have a catch-all rule that breaks everything. In older FC versions that used a RAS adapter, manually set DNS servers would not get overwritten; now they do, so this method of blocking doesn't work anymore. If the vpn interface had a higher (automatic) metric than the physical interface, that could at least be a partial fix. The only other idea I have is to firewall the servers off and accept the 2-second query timeouts (plus a 20-second vpn connection delay).
2. Primary DNS suffix is being set on all interfaces, including the physical one, and it's being placed at the top, overriding the suffix for our AD domain. AD requires clients to be able to resolve the short name for the domain and its servers, so this immediately breaks AD, in addition to not being able to resolve printers, desktop shortcuts, shared drives, etc. Interfaces have a "Connection-specific dns suffix" setting, so maybe FortiClient should be using that instead of editing the global suffix search list. Or maybe it should be adding it to the end of the list. There's also a flaw with this approach, where if the workstation bluescreens or loses power, the vpn suffix gets stuck there and persists.
This third party network's configuration has been a problem for at least 6 years, with no improvement in sight. This despite them having many other enterprise clients. I don't have any hopes in them developing a solution on their own, and I can only guess how their configuration looks like. The other approach would be to deal with it clientside. FortiClient already contains a bunch of vpn options to control dns behavior, so maybe more could be added to deal with this.
EDIT: I have been able to lock down the global suffix search list via a specific Group Policy setting.
EDIT: Using the <on_connect> script it is possible to 'roll back' the changes via 'wmic nicconfig', but it requires admnistrator privileges.
Labels:
- Labels:
-
FortiClient
10162
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably you could set dns-server-override to disabled on the vpn interface to prevent it from adopting dns servers?
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A tip you can share with your 3rd party FortiGate's admins.
1, The general SSL-VPN settings can be set to not override DNS and leave it alone.
The same can be done with domain suffix. (CLI-only)
2, Individual SSL-VPN portals can be configured to override the general setting's DNS IPs and domain suffix lists. (CLI only)
1 + 2 = The third-party admin could set things up so that their own people receive specific portal(s) that use specific DNS IPs and domain suffixes, while other parties (such as you) are set to match a portal that does not override either of these.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the tip. I assume the service is providing the suffix and dns servers so that clients connecting would have a full experience. And/or, as you suggest, they are using a single portal for both their employees and customers. So in that regard, that part is fine, it could even be useful to use dns names for servers for flexibility. The issue stems from poor control of dns in 'split tunneling' mode.
It seems that a low Metric is all it takes for the vpn dns servers to take over. Further making things worse is the altering of the global suffix search list. If FortiClient would instead just define a connection-specific suffix for its interface, then in a default windows configuration, the suffix search list would be generated automatically and sorted by Metric. FortiClient's aggressive approach ensures that the vpn goes first. It also breaks things by preventing the primary and connection-specific suffix of the physical interface from being applied (and it does not fill them into the list when it toggles the mode from automatic to manual).
I have done the following adjustments:
1. Set Metric=1 on the physical interface to fix the priority. Hopefully if two interfaces have the same metric, the order will be stable and the physical one will be listed first.
2. Set a suffix search list via Group Policy. This prevents it from being overwritten. Unfortunately it is not possible to enforce automatic mode, only manual mode, so even if a connection-specific suffix were set, it wouldn't have an effect. This prevents me from resolving FQDNs in the vpn network that also exist on the public internet, but fortunately they also have a secondary local suffix.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some testing, I believe I have some observations and suggestions I can offer to the developers to better support the abovementioned scenario. But first, I need to ask about 'split tunneling' mode. On a technical level, what does it do, exactly? I've read that it is used when the client needs to retain access to its existing network, and only use the vpn for certain specific things - which is exactly what is happening in my case. But the documentation does not state what it actually does. Is it a trivial toggle that just changes the client's default gateway and nothing else? Or does it also affect how the client's interface priority, dns server priority, domain suffix priority, etc? Can I find out on the client side if the server is marking the vpn link as split tunnel or not?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Split tunneling deals with routing on the client machine.
"Full tunnel" will push all of the clients outgoing traffic through the tunnel.
"Split tunneling" will only push "interesting" traffic through the tunnel. This is done based on the routing table, so feel free to check your client machine's routing table when you are connected to SSL-VPN with split routing enabled.
Regarding documentation, I have to disagree. The GUI provides pretty self-explanatory description of this functionality. Not sure what else you would like to add to it.
[ corrections always welcome ]
Created on 09-28-2022 08:17 AM Edited on 09-28-2022 10:20 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-duplicate-
Created on 09-28-2022 12:16 PM Edited on 09-29-2022 07:46 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the clarification. I do not have administrative access to the Fortigate host nor can I view its configuration; I can only connect via ssl vpn as an user/customer. I tried looking up info on the fortinet website (there's a section for split tunneling), in the forticlient administrative guide (only reference is in ipsec, with no explanation), and in the fortigate administrative guide (something must have broke because back then I only got a few matches). From the above description, it seems split tunneling is unrelated to DNS and seems to directly correlate with the 'traffic_control' forticlient config section. (Can I see a dump of the server's settings somewhere in the logs?)
What I did notice was a section called "Split DNS". It seems to be directly mentioning the behavior that I desire ("only resolve hosts from these specified domains via the vpn's dns servers"). However, it was too technical for me and I was not able to deduce the full extent of the effects it should have on the client host, or the means in which it operates. I also can't tell if Forticlient can actually do that (via some kind of kernel driver?) because windows does not have that feature, or if it's something that is assumed to be happening and was never actually checked on a real pc. Unfortunately, I only have the clientside view of the situation and I have zero experience operating FortiGate, so the best I can do is report behavior that doesn't seem right or is causing issues, and hope that more experienced people can clue me in.
I have done another detailed re-test. I have submitted the results to the business partner providing the vpn service, however I don't know if that'll go anywhere. I include my findings here as well. The main concerns are:
- Local short names, local FQDNs, as well as internet host names are being sent to an untrusted third party for dns resolution, instead of / before consulting our AD DNS. This is an internal information leak and allows for business espionage by monitoring dns queries. It also allows for connection hijacking via DNS spoofing, and even though the third party is not malicious, an intruder to their network could be. So now all of their customers' network security is tied to their security.
- Forticlient installs a global suffix search list. If one is already present, its entries get pushed down. If instead the host is in the default windows state where the list is automatically determined from the Primary and Connection-Specific suffixes, then those get stomped over by the new global search list and ignored, and the host is no longer able to resolve short names in its own domain. This seems like a glaring bug in Forticlient; shouldn't it manually add the formerly automatic entries to the list?
- If the third party has a misconfigured DNS server with a wildcard catch-all rule, then name resolution will always break once it reaches that point. And since the third party's suffixes are in front of ours (if ours is in there at all), none of our LAN short names nor FQDNs will ever resolve properly.
- Windows decides the DNS server query order solely based on the interface metric. Forticlient sets metric=1 on its vpn interface, ensuring that the vpn's dns servers will always be queried first for everything - unless another interface also sets its metric to 1. There is no xml option to make it not do this. Strangely, even if the suffix of the FQDN to be resolved matches the connection-specific suffix of an interface, Windows will not use that as a hint for which DNS server to use, and will keep using the rigid metric-based order.
- Windows 10 sends parallel requests to dns servers on all interfaces, and chooses the first positive reply based on metric order. This includes LAN short names, LAN FQDNs, as well as internet hostnames. This renders any fixes to the above issues moot. This behavior can be disabled via a group policy setting, and should be done as the first thing in this sort of scenario.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
8,462 -
FortiClient
1,712 -
5.2
801 -
FortiManager
710 -
5.4
639 -
FortiAnalyzer
547 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
219 -
FortiWeb
199 -
5.0
196 -
IPsec
185 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
109 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
32 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
FortiSOAR
13 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1073 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.