Hello!
We recently setup our Fortigate to act as an SSLVPN Client for access to a vendor network. After doing so, we noticed name resolution of FQDNs failing for internal domains. I checked the DNS config via 'diag test app dnsproxy 2' and found two addresses listed which are not the same as those found under config system dns. I had a hunch that local-out DNS requests were going to DNS servers provided by the SSL VPN server - and after connecting a Windows endpoint and confirming, we have a case open with Fortinet TAC for resolution/confirmation this is a bug (SSLVPN Client overriding system-level DNS).
Has anyone ever ran into this? I didn't see anything in the documentation related to DNS under the SSL VPN client config or release notes.
Thanks!
I tested the same with FGT running 7.2.8. If SSL VPN configurations contain a DNS server configured, that overrides the DNS on the client when VPN is connected
FGVM-DR (settings) # show
config vpn ssl settings
set dns-server1 8.8.4.4
GW # diag test app dnsproxy 2
worker idx: 0
worker: count=1 idx=0
retry_interval=500 query_timeout=1495
DNS latency info:
vfid=0 server=8.8.4.4 latency=1 updated=908
Basically this should affect the traffic originated from FGT itself, the end host can have their DNS configured on the DHCP scope.
I did a search internally and it seems that this is the expected behavior. If the SSL VPN server has the DNS configured with "set dns-server1" than the SSL VPN client will update/override the DNS.
GW # diag test application dns 3
...
DNS override links:
fd=35
DNS dynamic server override (cnt=1 version=3:3):
fd=35 vfid=0 vrf=0 server=8.8.4.4:0
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.