Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
doggmopsi
New Contributor

no access to device names via vpn

When our users connect via VPN, they can only access servers etc. by IP and not by name. This leads to problems with certain services. The DNS server is entered in the settings. Does anyone have an idea what could be wrong? Or could the problem lie with our DNS server?Screenshot_20230328_172251.png

4 REPLIES 4
adambomb1219
Contributor III

Maybe, does the DNS server trust to queries from 10.212.134.200-10.212.134.210?  Do you have a firewall policy which allows DNS to flow to 192.168.25.250.  If you do an nslookup or dig on the client what actual errors do you see?  Can the clients ping the DNS server?  Does the network the DNS server is on have a route to 10.212.134.200-10.212.134.210?

sw2090
Honored Contributor

hm there is one issue with that: Fortigate gui let's you enter custom dns server(s) for a vpn. For whatever reason the gui does lack the dns mode option. So you set custom DNS servers but dns mode is still set to auto (or similar). You might have to use cli to set dns mode to manual for this vpn to make custom dns working. 

I ran into this on our vpns here too.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
doggmopsi
New Contributor

Thank you for your answers. I have now tried to change the DNS Mod via CLI, but I only get the following message:

Screenshot_20230331_171657.png

gfleming
Staff
Staff

Your best option would be to enable split DNS. This way you can specify domain name look ups for your servers etc will be done using your internal DNS. And anything else will continue to be done using the client's DNS:

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/988717/ssl-vpn-split-dns

 

Another thought are you using FQDN? i.e. host.company.com? or are users just accessing things using the hostname i.e. "host".

 

You may want to add the dns-suffix to the VPN SSL settings (as referenced in the above doc).

Cheers,
Graham
Labels
Top Kudoed Authors