Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FG_User
New Contributor

Internal DNS name resolution not working

We' re using SSL VPN with split tunneling enabled. In the VPN DNS and WINS server names I put our two systems which provide those services. However when using the bookmarks or connection tool I cannot connect via the name of the system. Neither hostname or FQDN works. Only via IP. Obviously most users don' t know the IPs of the systems.
14 REPLIES 14
rwpatterson
Valued Contributor III

Welcome to the forums. Split tunneling is like that. If you force all traffic through the firewall, you' ll find it works as desired. If you don' t have a big pipe at the FGT end, you may find the web browsing is choking production.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
FG_User
New Contributor

So there is no way to do this without disabling split tunneling? No dns tricks or anything else? This seems crazy.
emnoc
Esteemed Contributor III

The split-dns feature is your friend but I don' t know of how it' s depeloyed in the fortigate dessgn. But correct me if I' m wrong, is it your clients or is it the SSLVPN ( fortigate) conducting the dns-lookup for the bookmark address? You can validate that the appliance has a dns server applied or use the nslookup tool to see what dns-server your using.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Maik
New Contributor II

However when using the bookmarks or connection tool I cannot connect via the name of the system
From that, I read that you are using the bookmarks from the SSL VPN web portal. We are not talking about browser bookmarks. SSL VPN Web Portal Adresses are resolved by the Fortigate itself. Did you configure your Fortigate to use the internal DNS Servers? regards Maik
FG_User
New Contributor

@EMNOC: Under VPN > SSL > Config ... Advanced > I put in the two dns servers ip addresses and WINS servers. @MAIK: Yes, by bookmarks I am refering to the SSL VPN portal bookmarks, not local ones on a user' s machine.
Carl_Wallmark
Valued Contributor

It is the fortigate itself who does the dns lookup NOT the dns in the ssl config. You need to enter an internal dns under System -> Network -> DNS

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
veechee
New Contributor

This doesn' t answer your question, but provides some of my experience with split tunneling. I used split tunneling in production for about 5 users for several months but I removed it from use because there are so many DNS tricks and hacks out there these days, that I couldn' t make internal resources work 100% reliably with it. The problems I ran into were at places like airports or hotels where there is a captive portal before access is granted. Often these types of sites enforce certain DNS servers and that messes up the split tunnel, leading to security warnings for internal resources or outright failures. Also, we use SaaS email and if there is a latency or other connectivity issue using the local Internet connection, getting onto the full tunnel usually restores access. I' m in the initial stages of looking at MS DirectAccess to provide always on internal network resources and local internet. The technology behind DA is such that it should allow both to work reliably (but it' s very complicated to get set up).
emnoc
Esteemed Contributor III

Cisco ASA has a split-dns feature that get' s thru these issues hurdles and allows the client to resolve only domainnames allowed for that vpn client. I' m surprise that fortigate does not have this function. For the op FGUser, now that it' s confirm the fortigate looks up the SSLVPN bookmarks, can you answer the questions of , " does the fgt have your inside local dns-servers configured?"

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FG_User
New Contributor

@SELECTIVE: 1. What is the point of the SSL VPN DNS settings then? 2. Our Prof Services installer for the units put 8.8.8.8 and the DNS server from our ISP as the ones to use in that system. Should I replace them with our internal DNS servers (which themselves point out to those two IPs anyway for their external DNS lookups)? He said specifically that we should avoid sending DNS lookup requests from the Fortigate to our internal DNS servers (our DCs have DNS role as well). THanks!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors