1

Hey everyone,

So here is the situation. I am connected to a remote location by client VPN. At this site I have three domain controllers that are also DNS servers. Once I connect into VPN I have to use IP address to remote into individual machines. I have checked the DNS manager on my main domain controller DC201 and there are PTR records for each machine in reverse zone and forward zone along with their correct static IP. I have created cname records and aname records for several machines and still cannot connect by host name. I have gone onto member machines and done /flushdns then /registerdns using ipconfig. No matter what I do I have to use an IP to connect to each machine. At the moment it isnt a problem as I am the only one using the machines and I know all the IPs but when coworkers start using this site they need hostname connection. What have I missed? Obviously something is going wrong. Also, Ive tried connecting using FQDN… Hostname.my.domain.com

3 Spice ups
2

Is your VPN server providing you with one or two domain controllers as your VPN assigned DNS server? For this to work you need to see the Domain Controllers when you run “ipconfig /all” after you are connected to VPN.

Even FQDN will not work if you’re connecting to the wrong DNS server that does not know about that internal domain.

1 Spice up
3

Fortinet SSL VPN Virtual Ethernet Adapter

Ok I just added the DNS server ip at my remote location to the above VPN adapter im connected to, which is listed above.

4

What Beeker up there said. If you’re remoting into a separate domain, your computer is probably looking at your local DNS server for those remote IPs, which it probably doesn’t have. You could manually enter them, or if that remote site is a child of, or otherwise connected to your main domain, you might be able to get the remote DNS to share the info with your local DNS server(s). Beyond that, it’s IP addresses only.

5

Haven’t been called Beeker in a while, thanks for the memories, Troy. :smiley:

Don’t add a DNS server address manually to your adapter. When you connect, the remote Fortigate router is going to push DNS servers to your client and potentially override whatever you have there (depending on a series of other settings).

For this to work correctly, configure the Fortigate.

  • Log in to Fortigate
  • Go to VPN - SSL-VPN Settings
  • There is a section for DNS. If it’s set to “Same as client system DNS” then Fortigate isn’t going to change anything on client side which could be the issue
  • Set it to Specify and enter appropriate IP addresses for your DC/DNS servers
  • Make sure you have firewall policies as well to allow traffic from VPN client to the DNS servers (SSL-VPN tunnel interface → LAN for example, allow DNS)
1 Spice up
6

Ah thank you guys. I will work on trying to get that figured out.

7

Yeah the domains are in no way connected at the moment. I have a site to site VPN connection set up im just waiting on word to turn it on.

So I got on the fortigate and added the DNS server ip addresses to the fortigate vpn and created a firewall policy to allow DNS buuuuut it still didnt work. At least not yet. Maybe as I flush and register dns addresses it will start to work.

8

It did not work meaning you can’t resolve any records, or just not the ones you are interested in?

First make sure that over VPN you are in fact using the remote DC IP address. Run “ipconfig /all” and double-check that the VPN adapter only has DC/DNS IP addresses.

Next you can do a direct DNS query to make sure it’s functional at least:

nslookup dnsipaddress active-directory-domain.com

If you do not get a result, then the Fortigte might still be blocking the traffic. On Fortigate CLI you can run something this to check:

diagnose sniffer packet any 'host vpn-client-ip and host dns-ip and port 53' 4

It will show you the traffic flow in and out through the interfaces. You should see an incoming packet, then a matching outgoing one to the interface where your DNS server is on and then a reply coming in from DNS server’s interface and back out to the client.

If you don’t see the traffic flow like this, inspect your Fortigate firewall rules.

9

OK! I got it to connect to FQDN. hostname.my.domain.com. Now all i need to do is get it to only connect using hostname. Would I need to set up a DNS suffix for that?

10

Yes, DNS suffix is needed for that, however that’s typically provided by the DHCP server, not by the Fortigate. So you would need to update everybody’s home router/DHCP server for this to reliably work. And if you’re in a hotel, airport, etc you will never be able to.
That’s obviously not a good solution.
You should not use “bare” hostnames anymore. You still can when the environment supports it (ie in the office building) but it’s, for these reasons and many others, no longer good practice. Always use FQDN. That’s how things are to be done nowadays.

11

Awesome thanks so much.

12

Wouldn’t setting the dns suffix in the CLI work for this?

13

Yes in theory that works wonders. In practice, Windows often doesn’t play nice depending on the exact Win10 version. I don’t find it to be a reliable setup but it can be very convenient when it does work. I do use that same option in SSL VPN config with mixed results.

14

I’m sorry for asking the question, but I’m kinda at a point where I need to ask dumb questions…

W.R.T SSL VPN, DHCP manged by AD not Fortigate.

set dns-suffix “sub.domain.com
or
set dns-suffix sub.domain.com

Making sure I’m understanding the document correctly

15

When it comes to simple hostname or domain name entries like that, you can do it with or without surrounding it with quotes. A hostname doesn’t contain special characters where quoting is required. It won’t hurt to do it anyway and I myself do mostly out of programming habit. Then it takes the guess work out of it and it will always work, regardless of what you’re doing.