Painfully slow DNS resolution when connected

tim5700 · ‎11-20-2015

Fortigate model is 1500D, running on 5.2.3 with the matching SSLVPN client.

Due to the nature of our environment, we have multiple AD domains behind the firewall. Each "domain" has its own SSL VPN Portal, where when connected users they get assigned an IP address from a unique pool designated for them. They are also assigned DNS servers from their domain.

But because when it comes to DNS Suffix settings being system wide only, everyone is assigned a list of 5 DNS suffixes to search.

As a result, when users connect and try to resolve a single host name, the DNS resolution process takes more than 15 seconds. Part of this is because it looks like their computer (Win7 - Win10) are trying to resolve using the DNS server assigned to their NIC first.

Is there any way to do DNS suffixes per VPN portal? Is there any to use the VPN assigned DNS server exclusively while connect? Any suggestions on how to speed this up?

gschmitt · ‎11-20-2015

tim5700 wrote:
Part of this is because it looks like their computer (Win7 - Win10) are trying to resolve using the DNS server assigned to their NIC first.

BS,

Windows 10 uses DNS Multicast which leads to DNS leaks.

tim5700 · ‎11-20-2015

That's an excellent thought.

But how does that explain the Win7 & 8.x clients?

tim5700 · ‎11-20-2015

Disabling Multicast Name Resolution doesn't seem to help.

AtiT · ‎11-20-2015

Hello,

I am just wondering whether it would be possible to use a separate VDOM for every single AD?

It would solve the problem.

AtiT

gschmitt · ‎11-23-2015

You can add dns suffixes to the portal

config vpn ssl settings set dns-suffix ”example.com example.org” end

source: http://docs-legacy.fortin...elp/ssl-vpn.019.5.html

Painfully slow DNS resolution when connected

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website