- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiScan
- FortiSandbox
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- Customer Service
- Community Groups
- Article Ideas
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Split tunnelling & Name resolution weirdness
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Split tunnelling & Name resolution weirdness
Hello,
We have been using SSLVPN in tunnel mode with FortiClient for awhile with good success. Intranet and Internet web browsing was successful. Recently, we turned on split-tunnelling so all Internet browsing wouldn' t come through our corporate network. When we did this, we started having some difficulties with name resolution for internal systems.
Allow me to explain:
Consider the scenario: Laptop at home on DHCP (supplying ISPs DNS) on the wireless network adapter. Launch FortiClient and connects. Fortigate supplies DHCP address (with Internal DNS servers) for ' fortissl' network adapter. The system now has two sets of DNS servers configured. However this happens, it seems the process of connecting the FortiClient tunnel makes the fortissl DNS settings the preferred ones, so name resolution will happen on the Internal DNS server which is what we want. If I launch nslookup, I get the following:
Tunnel Disconnected
C:\>nslookup Default Server: resolver1.opendns.com Address: 208.67.222.222Tunnel Connected
C:\>nslookup Default Server: dc01.abcdefg.com Address: 172.16.0.250So far so good, I guess. We are in a Split DNS environment, so if I attempt to resolve a server name, it will resolve whether the tunnel is connected or not, but with different addresses. Externally it resolves to our wildcard external address, internally, the host record is returned. Tunnel Disconnected
C:\>ping fs01.abcdefg.com Pinging fs01.abcdefg.com [72.22.X.X] with 32 bytes of data:Tunnel Connected
C:\>ping fs01.abcdefg.com Pinging fs01.abcdefg.com [172.16.0.133] with 32 bytes of data:Again so far so good, I guess. The problem is, in my testing over the past few days, it seems like that change is not immediate. If I attempt to ping an internal system immediately (within 2 to 4 seconds) after seeing the FortiClient report " Connected" on the tunnel, it will give me the same results as if it was disconnected every time. Then that DNS entry is cached and will continue to fail until some distant timeout is passed. If I wait and don' t do anything until about 8 or 10 seconds after the connection is established it will be successful pretty much every time. Also, if I issue an ipconfig /flushdns, after its connected, it will work after that. It might sound like a minor problem, but as far as I' m concerned it should just work. I might be totally off base with my troubleshooting, but has anyone seen this before? I don' t understand why it only seems to have showed up after we turned on split tunnelling and why it seems to need some time after it says ' connected' for it to actually work. Thanks in advance for any input.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, IMHO the DNS caching is done on the client, by the client' s OS. Having the application (Forticlient) take action on that is an extra, not a necessity. It would be ' nice' if the FortiClient would flush the DNS cache on connection but the work around is quite simple, too.
Flushing the cache means higher latency for the client' s applications until the cache is filled up again. I can see why the developer would not want to unconditionally flush the client' s DNS cache on connect. The question is how difficult it would be to deduct from the FC' s configuration that the DNS will change on connect (i.e. split-tunneling is active).
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply ede.
It seems like it does flush the cache during the connection and disconnection process. Isn' t the default TTL for cache entries on Windows like 24 hours? If I were to describe how it behaves based on my observation, it is something like this (though I could be easily mistaken):
1) VPN connection initiated.
2) Tunnel built.
3) Routing table changed.
4) DNS cache cleared.
5) Reporting " Connected" in client.
6) DNS server priority switched (4 to 6 seconds later)
If it didn' t clear the cache, it wouldn' t work virtually at all for addresses that had been resolved prior to connecting.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it didn' t clear the cache, it wouldn' t work virtually at all for addresses that had been resolved prior to connecting... in the special case when the two alternative DNS resolve the same hostname to different IP addresses. For you, this is common; for the majority of users it is not and they won' t ever notice the switch over. I' ve strung up this to check the DNS cache:
>ipconfig /displaydns|findstr /C:" Record Name" |findstr /N " :"Two thoughts: - DNS caching lifetime does not really matter here - the perceived delay at tunnel-up might well be caused by Windows and the inner workings of it' s TCP/IP stack. As such, hard to influence from your side.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fair enough. We' re content to leave it as is. Mostly just an annoyance than anything. It' s our only complaint regarding the SSL VPN. Working great otherwise.
Thanks for the dialog.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I face this exact same thing..... the problem for me is that my Exchange server seems to not want to work while other things work and resolve just fine. I would like for ALL DNS requests to use my internal server as the primary and the ISP' s (the one bound to the local NIC) as the secondary.
It' s mind numbing. We have a call a day about this and it seems to be Exchaneg mainly. We have our DNS configured properly. We' ve even resorted to adding static entries to the host file of the local machine and although that allows us to ping exchange successfully, it still will not connect. Maybe we could statically assign internal DNS to the Fortinet adapter? I haven' t looked, is this an option?
The thing is that at home I use Google DNS 8.8.8.8 and I NEVER have the problem.
Any ideas is greatly appreciated.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t use exchange, but I do point my FGT to my internal AD DNS. That DNS then forwards out the door.
Just another perspective. By the way, I don' t point my clients to the FGT for DNS, but I DO use FSAE/FSSO.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Related Posts
- Domain name resolution site to site... 681 Views
- Forticlient DNS Resolution / Split tunnelling... 773 Views
- ... 1391 Views
- ... 878 Views
Labels
-
FortiGate
3,620 -
5.2
801 -
FortiClient
742 -
5.4
639 -
6.0
416 -
FortiManager
367 -
5.6
362 -
6.2
251 -
FortiAnalyzer
236 -
5.0
196 -
FortiAP
179 -
FortiSwitch
169 -
Fortimail
167 -
FortiAuthenticator
139 -
6.4
128 -
FortiClient EMS
107 -
FortiWeb
89 -
4.0MR3
64 -
FortiGuard
59 -
FortiGateCloud
56 -
Customer Service
42 -
FortiCloud Products
42 -
FortiSIEM
41 -
FortiToken
39 -
FortiNAC
37 -
Wireless Controller
30 -
FortiADC
25 -
Fortivoice
23 -
FortiSwitch v6.4
20 -
FortiProxy
19 -
FortiExtender
18 -
FortiSandbox
17 -
FortiEDR
16 -
FortiGate v5.4
16 -
FortiConnect
16 -
FortiDNS
13 -
FortiWAN
12 -
FortiConverter
10 -
FortiSwitch v6.2
9 -
4.0MR2
9 -
FortiCASB
8 -
FortiMonitor
7 -
4.0
7 -
FortiManager v5.0
6 -
FortiSOAR
5 -
RMA Information and Announcements
5 -
FortiGate v5.2
5 -
FortiPortal
5 -
FortiAnalyzer v5.0
5 -
FortiGate v5.0
4 -
FortiCarrier
4 -
3.6
4 -
FortiDirector
3 -
FortiBridge
3 -
FortiRecorder
3 -
FortiInsight
2 -
FortiWeb v5.0
2 -
FortiScan
2 -
FortiDB
2 -
FortiDDoS
2 -
FortiGate v4.0 MR3
2 -
FortiDeceptor
1 -
4.0MR1
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiCache
1 -
FortiManager v4.0
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.