Basically, I am trying to do this but instead of IPSec tunnels or internal clients, it's only for our SSLVPN users: https://yatznet.com/2018/08/21/using-fortigate-as-a-local-dns-server/
In short, it works great on the LAN, but if I try to use FortiGate for DNS when connected via SSLVPN, all I get are DNS request time out errors. I do have a test policy in place that allows all ssl.root traffic to any destination within the LAN, and I can even ping the IP of the FortiGate when connected via SSLVPN, so traffic is flowing.
I've done a debug and it didn't come up with anything useful, at least to me. Here is an example of an internal client using the DNS on the fortigate successfully, and the second one is our SSLVPN client timing out. It looks the same except for the flag, but I couldn't find out what that means.
id=20085 trace_id=18 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=17, OURLANCLIENT:59609->OURFIREWALLIP:53) from LAN. " id=20085 trace_id=18 func=init_ip_session_common line=5682 msg="allocate a new session-03a13154" id=20085 trace_id=18 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-OURFIREWALLIP via root"
id=20085 trace_id=23 func=print_pkt_detail line=5517 msg="vd-root:0 received a packet(proto=17, OURSSLVPNCLIENT:61387->OURFIREWALLIP:53) from ssl.root. " id=20085 trace_id=23 func=init_ip_session_common line=5682 msg="allocate a new session-03a142ac" id=20085 trace_id=23 func=vf_ip_route_input_common line=2591 msg="find a route: flag=84000000 gw-OURFIREWALLIP via root"
Any ideas?
Solved! Go to Solution.
That's all there was. It just repeatedly output that section when doing a DNS lookup.
However! Shortly after posting this (and after 5 hours of troubleshooting at time of post), I figured it out. Under Network > DNS Servers, I kept picking either the LAN or the ssl.root interface to listen for DNS requests. ssl.root never worked, and LAN only worked for internal clients, even though the ssl.root policy allowed access to everything.
Turns out I just need to create two DNS Server interfaces, one for LAN and one for ssl.root. After I did that, the DNS resolution worked for both sslvpn users and all LAN clients.
So simple, and so many hours wasted on it.
There is not enough information here. Please provide more of the debug flow output.
That's all there was. It just repeatedly output that section when doing a DNS lookup.
However! Shortly after posting this (and after 5 hours of troubleshooting at time of post), I figured it out. Under Network > DNS Servers, I kept picking either the LAN or the ssl.root interface to listen for DNS requests. ssl.root never worked, and LAN only worked for internal clients, even though the ssl.root policy allowed access to everything.
Turns out I just need to create two DNS Server interfaces, one for LAN and one for ssl.root. After I did that, the DNS resolution worked for both sslvpn users and all LAN clients.
So simple, and so many hours wasted on it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.