- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPsec IKEv2 Dial-up DNS issues
Hello everyone,
How can I configure FortiClient VPN (full-tunnel mode) to:
- Use internal DNS server (e.g. 192.168.1.x) for resolving internal domain names only
- Use public DNS (8.8.8.8) for all external domain queries
- Avoid the current 6+second delay caused by failed DNS resolution attempts to internal DNS
Currently, all DNS queries first try the internal DNS server before failing over to 8.8.8.8, causing noticeable delays. I want to maintain full-tunnel mode for security but need more efficient DNS resolution.
I am attaching screenshot an nslookup and the tunnel configuration so you guys have a clearer understanding and hopefully can help me.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Iulian
You need to configure split DNS, which is supported for IKEv2 starting fro FOS 7.2.3.
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you sir.
I have tried this earlier but it did not work for me.
It seems that I was missing an important step that is mentioned in the following KB.
https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/836965/ipsec-split-dns
After configuring the "internal-domain-list", and the DNS server that will resolve local names. I also enabled "Local LAN" in the FortiClient tunnel config.
Now names that are part of the internal domain list are forwarded to my local DNS server. The rest are resolved using the DNS server configured on the network card of the user's computer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Iulian
You need to configure split DNS, which is supported for IKEv2 starting fro FOS 7.2.3.
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you sir.
I have tried this earlier but it did not work for me.
It seems that I was missing an important step that is mentioned in the following KB.
https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/836965/ipsec-split-dns
After configuring the "internal-domain-list", and the DNS server that will resolve local names. I also enabled "Local LAN" in the FortiClient tunnel config.
Now names that are part of the internal domain list are forwarded to my local DNS server. The rest are resolved using the DNS server configured on the network card of the user's computer.
