Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

How to stop Forticlient from using the peer DNS server and suffix

We are using Forticlient with a number of business relations. We do no not control their server side. We need Forticlient to give remote support using RDP to a server with a known IP address, nothing else.


We do not want to use their DNS servers. Not for our internal network, and not for public addresses. Using it for their domain would be fine, but we could do without that as well.


What we certainly do not want is Forticlient to replace the global DNS suffix list from our Active Directory domain to theirs. And we do not want Forticlient to add their DNS server IP addresses to all of our network interfaces, not just the SSL VPN interface.


Although our business relations are sympathetic to the problems their VPN is causing in our network, they do not appear to have the knowledge to do anything about it.


What used to work for us is to use the Forticlient from the Windows Appstore. It would use split DNS out of the box, But unfortunately we can't use the Forticlient with Microsoft MFA.


Is there any way to make the Forticlient work like the one from the Appstore?


The appstore client works perfect in that respect. It will add the peers DNS suffix to the global search list, not replace it. It will add the peers DNS IP addresses to the VPN network interface only, and set the connection-specific DNS suffix. This will lead to a perfect split DNS out of the box.




New Contributor

Here's another post by @hpadm who appears to have the exact same problem.


In our case, our business partner was able to stop pushing their DNS server IP addresses, but we still get their DNS domain suffix. And because they have a wildcard A record in their public DNS, all our internal local hostnames get resolved to the public IP address of their wildcard record.


Top Kudoed Authors