Split DNS

Magion · ‎04-15-2020

I configured sslvpn with split-tunneling and split-dns. Split-tunneling works fine, but split-dns not. It looks like all dns requests are sent to the remote dns, instead of only the specified domains.

config split-dns
    edit 1
        set domains "domain.com,sub.domain.com"
        set dns-server1 192.168.100.10
        set dns-server2 192.168.100.20
    next
end

Resolving hosts on the remote network is fine, however local dns names are not working. Drive mappings on my client time out after a while (probably dns record ttl) and are inaccessible, rdp and web no longer are able to connect to local resources unless I use IP addresses.

My client is on a local network with it's own dns servers, and like to keep access to local resources.

All local resources are available though, so split-tunneling is ok.

Using dnslookup for local network entries does work, however that's because it connects to the local dns server using ip.

Dave_Hall · ‎04-15-2020

is dns-suffix set?

config vpn ssl settings set dns-suffix XXXXXXX end

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

Magion · ‎04-15-2020

I tested both with and without dns-suffix. Doesn't make a difference.

(only difference with above example is that I set the dns-suffix in the portal configuration instead of sslvpn global settings)

Magion · ‎04-15-2020

From the online help:

If the domain does not match split-dns then the FortiClient network driver will respond to the DNS request with "no such name" forcing the DNS request to be resolved by the physical adapter DNS.

If I define a domain on the FortiGate configuration which is different from my local domain, the FortiClient network driver should never let the resolving happen on the FortiGate.

My domain has split-brain dns with different internal and external dns servers. Maybe this will somehow confuse the FortiClient network driver?

Magion · ‎04-16-2020

Decided to do a bit of packet sniffing on the FGT. It looks like all dns queries are sent to the remote dns.

Split-dns is definitely not doing what it's supposed to do.

So created a ticket @ Fortinet support. Let's see what they have to say... (hope it's not another "you must upgrade" answer)

Magion · ‎04-28-2020

This is a known bug according to support (engineering ticket no #537299). Split dns is currently not working... :(

Now we have to wait and see when (if) they fix this bug.

eenchev · ‎08-11-2020

Hello,

I am seeing the same issue with FG500E and 6.4.1 version. Does anyone know if it will be fixed in the upcoming patch release?

I am also having issue with the SSL VPN stability. RDP and SSH seem to freeze. Fortinet TAC support claim this has been fixed in 6.0.10 and 6.4.1...

Magion · ‎08-11-2020

@eenchev: The moment you posted your reply I had FGT support on the phone regarding this issue

In short, the engineer told me 2 things: there is an update of FortiClient fixing split-dns behaviour, and second he was told it (my problem) was by design. Not working by design? That's a new one for me

Also this seems contradicting: they fixed something that was by design?

Anyway, I asked why we can enter domains names when enabling split-dns. What is the use adding these, if split-dns won't honor this? He agreed that this was a good question, and will update the ticket with this question.

I have not yet tested the new FortiClient build, because I don't have EMS running at the moment. FortiClientVPN is an older build and don't know when (if) the fixes will be ported to the free VPN client.

eenchev · ‎08-11-2020

Hello Magion.

Thank you for sharing this. What FC version do you refer to ? For 6.0 I see there is no newer version than 6.0.9 and for 6.4 I haven't tested since I read there are some limitations for the free version above 6.0

Magion · ‎08-11-2020

According to Tech:

The issue should be fixed in FortiClient v6.4. Could you test with the latest version of 6.4 branch?

They are talking about the full FC 6.4 client, not the free VPN client which hasn't been updated since may.

The free VPN client 6.4 works fine with a FGT 6.0.5, so my guess is the full FortiClient will also work. I believe one of the key missing features from 6.0 to 6.2/6.4 is the ability to start the VPN before/at Windows logon.