Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
monkk
New Contributor

Created on ‎05-06-2024 11:56 PM

Fortigate as SSL VPN Client - DNS Issues?

Hello!

We recently setup our Fortigate to act as an SSLVPN Client for access to a vendor network. After doing so, we noticed name resolution of FQDNs failing for internal domains. I checked the DNS config via 'diag test app dnsproxy 2' and found two addresses listed which are not the same as those found under config system dns. I had a hunch that local-out DNS requests were going to DNS servers provided by the SSL VPN server - and after connecting a Windows endpoint and confirming, we have a case open with Fortinet TAC for resolution/confirmation this is a bug (SSLVPN Client overriding system-level DNS).

Has anyone ever ran into this? I didn't see anything in the documentation related to DNS under the SSL VPN client config or release notes.

Thanks!

https://19216811.cam/ https://1921681001.id/
https://19216811.cam/ https://1921681001.id/
Labels:
1010
0 Kudos
2 REPLIES 2
ebilcari
Staff
Staff

Created on ‎05-07-2024 02:29 AM

I tested the same with FGT running 7.2.8. If SSL VPN configurations contain a DNS server configured, that overrides the DNS on the client when VPN is connected

FGVM-DR (settings) # show
config vpn ssl settings
set dns-server1 8.8.4.4

 

GW # diag test app dnsproxy 2
worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=8.8.4.4 latency=1 updated=908

 

Basically this should affect the traffic originated from FGT itself, the end host can have their DNS configured on the DHCP scope.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
981
0 Kudos
ebilcari
Staff
Staff
In response to ebilcari

Created on ‎05-07-2024 03:25 AM

I did a search internally and it seems that this is the expected behavior. If the SSL VPN server has the DNS configured with "set dns-server1" than the SSL VPN client will update/override the DNS.

 

GW # diag test application dns 3

...

DNS override links:
fd=35
DNS dynamic server override (cnt=1 version=3:3):
fd=35 vfid=0 vrf=0 server=8.8.4.4:0

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
961
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.