Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pimzand
New Contributor II

How to stop Forticlient from using the peer DNS server and suffix

We are using Forticlient with a number of business relations. We do no not control their server side. We need Forticlient to give remote support using RDP to a server with a known IP address, nothing else.

 

We do not want to use their DNS servers. Not for our internal network, and not for public addresses. Using it for their domain would be fine, but we could do without that as well.

 

What we certainly do not want is Forticlient to replace the global DNS suffix list from our Active Directory domain to theirs. And we do not want Forticlient to add their DNS server IP addresses to all of our network interfaces, not just the SSL VPN interface.

 

Although our business relations are sympathetic to the problems their VPN is causing in our network, they do not appear to have the knowledge to do anything about it.

 

What used to work for us is to use the Forticlient from the Windows Appstore. It would use split DNS out of the box, But unfortunately we can't use the Forticlient with Microsoft MFA.

 

Is there any way to make the Forticlient work like the one from the Appstore?

 

The appstore client works perfect in that respect. It will add the peers DNS suffix to the global search list, not replace it. It will add the peers DNS IP addresses to the VPN network interface only, and set the connection-specific DNS suffix. This will lead to a perfect split DNS out of the box.

 

Thanks,

Pim

7 REPLIES 7
pimzand
New Contributor II

Here's another post by @hpadm who appears to have the exact same problem.

https://community.fortinet.com/t5/Support-Forum/Dealing-with-DNS-server-and-DNS-suffix-being-set-by-...

 

In our case, our business partner was able to stop pushing their DNS server IP addresses, but we still get their DNS domain suffix. And because they have a wildcard A record in their public DNS, all our internal local hostnames get resolved to the public IP address of their wildcard record.

 

ebilcari

Since the SSL VPN configurations are done in FGT, the FCT has to add the suffix in the OS. The DNS suffix can also be removed from the SSL configuration, same like the DNS server IP that got removed:

config vpn ssl settings
set dns-suffix "testdomain.eu"

set dns-server1 10.1.1.10

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
pimzand
New Contributor II

So could they make a second config for us, associate our accounts with that config, and not change the config for their own users?

 

If they don't  or can't: why can't we just overrule the server config in the client, like the Fortinet appstore client does just fine?

 

Thanks,

Pim

ebilcari

Since this is a global configuration I'm afraid it can't be selected for specific users.

The DNS suffix is offered for that connection but it's up to the OS to choose how to use it, maybe OS choose to ignore it in case of the appstore client.

What you can do in this case is to try and change the DNS configuration for the VPN Virtual adapter:

vpn adapter.PNG

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
pimzand
New Contributor II

I'm afraid that does not work. The Fortinet client does not assign the server DNS suffix to the connection-specific adapter DNS suffix, but it inserts it into the global DNS suffix list. Meaning we can no longer resolve our non-FQDN hostnames when the VPN session is active. And it alters the network settings of all active adapters. For instance, it changes our  dynamic DNS IP address list of our ethernet adapter to a static list, with the VPN DNS IP addresses prepended to it. 

 

These changes are reversed when gracefully ending the VPN session, but I have seen that sometimes the changes have become persistent, probably caused by ungracefully ending the VPN session. When that happens my users keep using remote DNS IP addresses that cannot be reached, slowing down their computers tremendously, even when they are not using the VPN.

 

This could all be solved if the Fortinet client would just use the connection specific adapter for its configuration (like any other VPN I know) and not touch other adapters nor the global DNS suffix list.

ebilcari

I haven't test it but unchecking those options should prevent the connection from altering the DNS configuration of the OS.

It looks like there is also possible to set the DNS configurations based on SSL portal this article, and to be applied only to a specific group of users:

config vpn ssl web portal
  edit "DNS-suffix-test"
    set tunnel-mode enable
    set dns-server1 1.2.3.4
    set dns-suffix "testdomain.eu"

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
pimzand
New Contributor II

Thanks, I will try to convince our business partner to try this out on their side.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors