Hi,
I've recently upgraded my mac to Ventura, and I have a weird problem with the free FortiClient VPN.
I can connect fine, and to start with everything works as expected. After around 30-40 minutes however, DNS resolution for internal resources stops working.
Before it breaks I see the following:
scutil --dns
DNS configuration
resolver #1
search domain[0] : xxx.net
nameserver[0] : 172.17.0.5
flags : Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
<... snip ...>
DNS configuration (for scoped queries)
resolver #1
search domain[0] : xxx.net
nameserver[0] : 172.17.0.5
if_index : 22 (en8)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
resolver #2
nameserver[0] : 8.8.8.8
if_index : 14 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
resolver #3
search domain[0] : xxx.net
nameserver[0] : 172.17.0.5
if_index : 27 (utun5)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
After it breaks I have instead
scutil --dns
DNS configuration
resolver #1
nameserver[0] : 8.8.8.8
if_index : 22 (en8)
flags : Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
<...snip...>
DNS configuration (for scoped queries)
resolver #1
nameserver[0] : 8.8.8.8
if_index : 22 (en8)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
resolver #2
nameserver[0] : 8.8.8.8
if_index : 14 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
resolver #3
search domain[0] : xxx.net
nameserver[0] : 172.17.0.5
if_index : 27 (utun5)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
While it is broken, my resolver is working just fine.
dig google.com @172.17.0.5
; <<>> DiG 9.10.6 <<>> google.com @172.17.0.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18045
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 142.250.200.46
;; Query time: 50 msec
;; SERVER: 172.17.0.5#53(172.17.0.5)
;; WHEN: Mon Nov 21 16:32:15 GMT 2022
;; MSG SIZE rcvd: 55
It seems MacOS just decides to stop using the resolver provided by the VPN for some reason.
Has anyone got any clues about why this is happening, or where to look for clues as to why its happening?
I'm using VPN client 7.0.7.0245
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There's also some insights here: https://groups.google.com/g/tunnelblick-discuss/c/CpusBhU7Ob8
Seems to be the same issue.
OpenVPN has the same issues under Ventura and they fixed it ... maybe someone from FortiNet should look at this and implement a similar solution?
See: https://forums.openvpn.net/viewtopic.php?t=35018
---
We have released a new macOS OpenVPN Connect v3 build version 3.4.1 that enables a watchdog function for DNS settings. So if some process resets these DNS settings implemented by OpenVPN Connect, they should automatically be corrected again.
You can obtain the latest version here:
https://openvpn.net/client-connect-vpn-for-mac-os/
---
In my case, the trigger for the primary resolver entry going back to the local (non VPN provided) state is any wifi reconnect, which is often invisible to the user. The laptop hops from one AP to another, mDNSResponder pushes the local DNS server to be the primary resolver, VPN DNS gets broken.
FortiClient must either block those updates or monitor them and restore VPN DNS settings every time they occur.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.