Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
davebell
New Contributor II

MacOS Ventura DNS Resetting

Hi,

 

I've recently upgraded my mac to Ventura, and I have a weird problem with the free FortiClient VPN.

 

I can connect fine, and to start with everything works as expected. After around 30-40 minutes however, DNS resolution for internal resources stops working.

 

Before it breaks I see the following:

 

scutil --dns
DNS configuration

resolver #1
search domain[0] : xxx.net
nameserver[0] : 172.17.0.5
flags : Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)

<... snip ...>

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : xxx.net
  nameserver[0] : 172.17.0.5
  if_index : 22 (en8)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #2
  nameserver[0] : 8.8.8.8
  if_index : 14 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #3
  search domain[0] : xxx.net
  nameserver[0] : 172.17.0.5
  if_index : 27 (utun5)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)

 

 

After it breaks I have instead

 

scutil --dns
DNS configuration

resolver #1
  nameserver[0] : 8.8.8.8
  if_index : 22 (en8)
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

<...snip...>

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 8.8.8.8
  if_index : 22 (en8)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #2
  nameserver[0] : 8.8.8.8
  if_index : 14 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

resolver #3
  search domain[0] : xxx.net
  nameserver[0] : 172.17.0.5
  if_index : 27 (utun5)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)

 

 

While it is broken, my resolver is working just fine.

 

dig google.com @172.17.0.5

; <<>> DiG 9.10.6 <<>> google.com @172.17.0.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		300	IN	A	142.250.200.46

;; Query time: 50 msec
;; SERVER: 172.17.0.5#53(172.17.0.5)
;; WHEN: Mon Nov 21 16:32:15 GMT 2022
;; MSG SIZE  rcvd: 55

 

 

It seems MacOS just decides to stop using the resolver provided by the VPN for some reason.

 

Has anyone got any clues about why this is happening, or where to look for clues as to why its happening?

I'm using VPN client 7.0.7.0245

12 REPLIES 12
adepretis
New Contributor II

There's also some insights here: https://groups.google.com/g/tunnelblick-discuss/c/CpusBhU7Ob8

Seems to be the same issue.

 

adepretis
New Contributor II

OpenVPN has the same issues under Ventura and they fixed it ... maybe someone from FortiNet should look at this and implement a similar solution?

 

See: https://forums.openvpn.net/viewtopic.php?t=35018

---

We have released a new macOS OpenVPN Connect v3 build version 3.4.1 that enables a watchdog function for DNS settings. So if some process resets these DNS settings implemented by OpenVPN Connect, they should automatically be corrected again.

You can obtain the latest version here:
https://openvpn.net/client-connect-vpn-for-mac-os/

---

recursiveiterator
New Contributor

In my case, the trigger for the primary resolver entry going back to the local (non VPN provided) state is any wifi reconnect, which is often invisible to the user. The laptop hops from one AP to another, mDNSResponder pushes the local DNS server to be the primary resolver, VPN DNS gets broken.

 

FortiClient must either block those updates or monitor them and restore VPN DNS settings every time they occur.

Top Kudoed Authors