Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
iulian
New Contributor

Created on ‎01-06-2025 12:13 PM

IPsec IKEv2 Dial-up DNS issues

Hello everyone,
How can I configure FortiClient VPN (full-tunnel mode) to:

  1. Use internal DNS server (e.g. 192.168.1.x) for resolving internal domain names only
  2. Use public DNS (8.8.8.8) for all external domain queries
  3. Avoid the current 6+second delay caused by failed DNS resolution attempts to internal DNS

Currently, all DNS queries first try the internal DNS server before failing over to 8.8.8.8, causing noticeable delays. I want to maintain full-tunnel mode for security but need more efficient DNS resolution.

I am attaching screenshot an nslookup and the tunnel configuration so you guys have a clearer understanding and hopefully can help me.nslookup.png

  1. Screenshot 2025-01-06 151039.png
Labels:
227
0 Kudos
2 Solutions
AEK
SuperUser
SuperUser

Created on ‎01-06-2025 12:24 PM Edited on ‎01-06-2025 12:24 PM

Hi Iulian

You need to configure split DNS, which is supported for IKEv2 starting fro FOS 7.2.3.

https://docs.fortinet.com/document/forticlient/7.2.0/new-features/634537/split-dns-support-for-ipsec...

Hope it helps.

AEK

View solution in original post

AEK
218
iulian
New Contributor
In response to AEK

Created on ‎01-06-2025 02:51 PM

Thank you sir.

I have tried this earlier but it did not work for me.

It seems that I was missing an important step that is mentioned in the following KB.

https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/836965/ipsec-split-dns

After configuring the "internal-domain-list", and the DNS server that will resolve local names. I also enabled "Local LAN" in the FortiClient tunnel config.

Now names that are part of the internal domain list are forwarded to my local DNS server. The rest are resolved using the DNS server configured on the network card of the user's computer.

local_DNS.pngwifi_DNS.pngwireshark.png

View solution in original post

188
2 REPLIES 2
AEK
SuperUser
SuperUser

Created on ‎01-06-2025 12:24 PM Edited on ‎01-06-2025 12:24 PM

Hi Iulian

You need to configure split DNS, which is supported for IKEv2 starting fro FOS 7.2.3.

https://docs.fortinet.com/document/forticlient/7.2.0/new-features/634537/split-dns-support-for-ipsec...

Hope it helps.

AEK
AEK
219
iulian
New Contributor
In response to AEK

Created on ‎01-06-2025 02:51 PM

Thank you sir.

I have tried this earlier but it did not work for me.

It seems that I was missing an important step that is mentioned in the following KB.

https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/836965/ipsec-split-dns

After configuring the "internal-domain-list", and the DNS server that will resolve local names. I also enabled "Local LAN" in the FortiClient tunnel config.

Now names that are part of the internal domain list are forwarded to my local DNS server. The rest are resolved using the DNS server configured on the network card of the user's computer.

local_DNS.pngwifi_DNS.pngwireshark.png

189
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.