Fortinet white logo
Fortinet white logo

Administration Guide

IPsec split DNS

IPsec split DNS

This functionality empowers clients to determine whether DNS traffic should utilize the tunnel’s DNS or the local DNS server for query resolution. This is achieved by letting users specify a list of FQDNs. Only FQDNs that match the specified list are directed to the tunnel for resolution, while all other queries are handled by the local DNS server.

Note

The internal-domain-list option is available on IKEv2 phase1 dialup gateways if mode-cfg is enabled.

To enable IPsec Split DNS in the CLI:
config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2 
        set mode-cfg enable
        set dns-mode {manual | auto}
        set internal-domain-list <domain name>
    next
end

Command

Description

set internal-domain-list One or more internal domain names in quotes separated by spaces.

Two scenarios need attention:

  1. When there is no split tunnel, or the split tunnel is set to address all, the user must manually select the Enable Local LAN checkbox in the FortiClient by navigating to Advanced Settings > Phase 1. If not, only the FQDN matching the internal-domain-list will be resolved, discarding other DNS queries. However, once this setting is enabled on FortiClient, any non-matching DNS query will be resolved through the local DNS server.

  2. If the dns-mode is set to manual, but the ipv4-dns-server1 is not configured, the VPN tunnel's DNS will default to 0.0.0.0 and all DNS queries will be routed through the local DNS server.

IPsec split DNS

IPsec split DNS

This functionality empowers clients to determine whether DNS traffic should utilize the tunnel’s DNS or the local DNS server for query resolution. This is achieved by letting users specify a list of FQDNs. Only FQDNs that match the specified list are directed to the tunnel for resolution, while all other queries are handled by the local DNS server.

Note

The internal-domain-list option is available on IKEv2 phase1 dialup gateways if mode-cfg is enabled.

To enable IPsec Split DNS in the CLI:
config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2 
        set mode-cfg enable
        set dns-mode {manual | auto}
        set internal-domain-list <domain name>
    next
end

Command

Description

set internal-domain-list One or more internal domain names in quotes separated by spaces.

Two scenarios need attention:

  1. When there is no split tunnel, or the split tunnel is set to address all, the user must manually select the Enable Local LAN checkbox in the FortiClient by navigating to Advanced Settings > Phase 1. If not, only the FQDN matching the internal-domain-list will be resolved, discarding other DNS queries. However, once this setting is enabled on FortiClient, any non-matching DNS query will be resolved through the local DNS server.

  2. If the dns-mode is set to manual, but the ipv4-dns-server1 is not configured, the VPN tunnel's DNS will default to 0.0.0.0 and all DNS queries will be routed through the local DNS server.