no access to device names via vpn

doggmopsi · ‎03-28-2023

When our users connect via VPN, they can only access servers etc. by IP and not by name. This leads to problems with certain services. The DNS server is entered in the settings. Does anyone have an idea what could be wrong? Or could the problem lie with our DNS server?

adambomb1219 · ‎03-28-2023

Maybe, does the DNS server trust to queries from 10.212.134.200-10.212.134.210? Do you have a firewall policy which allows DNS to flow to 192.168.25.250. If you do an nslookup or dig on the client what actual errors do you see? Can the clients ping the DNS server? Does the network the DNS server is on have a route to 10.212.134.200-10.212.134.210?

sw2090 · ‎03-29-2023

hm there is one issue with that: Fortigate gui let's you enter custom dns server(s) for a vpn. For whatever reason the gui does lack the dns mode option. So you set custom DNS servers but dns mode is still set to auto (or similar). You might have to use cli to set dns mode to manual for this vpn to make custom dns working.

I ran into this on our vpns here too.

--

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

doggmopsi · ‎03-31-2023

Thank you for your answers. I have now tried to change the DNS Mod via CLI, but I only get the following message:

gfleming · ‎03-31-2023

Your best option would be to enable split DNS. This way you can specify domain name look ups for your servers etc will be done using your internal DNS. And anything else will continue to be done using the client's DNS:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/988717/ssl-vpn-split-dns

Another thought are you using FQDN? i.e. host.company.com? or are users just accessing things using the hostname i.e. "host".

You may want to add the dns-suffix to the VPN SSL settings (as referenced in the above doc).

Cheers,
Graham

no access to device names via vpn

Nominate a Forum Post for Knowledge Article Creation