FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Jonathan_Body_FTNT
Article Id 195359

Description
This article explains how the split DNS feature works with FortiClient in a DHCP over IPSec environment.
Scope
All FortiClient Users.
Solution

In a split DNS infrastructure, you create two zones for the same domain, one to be used by the internal network, the other used by the external network.  Split DNS directs internal hosts to an internal domain name server for name resolution and external hosts are directed to an external domain name server for name resolution.

However when using the FortiClient with DHCP over IPSec, users obtain a DNS server address for the virtual adapter, the problem can be that Windows may not detect this setting and will continue to perform DNS resolution with the DNS settings set for the physical network interface.

This would mean that the Virtual Adapter DNS server's would be ignored.  In this scenario the IPSec VPN tunnel will fail.

Split DNS redirects DNS request packets to the IPSec service and contacts both the virtual adapter DNS server and the DNS server configured on the PC’s Internet interface. The FortiClient application sends the first valid response to the originating application.
 
DNS IP does not unbind properly if IPSec VPN closes unexpectedly.

FCH :4-0703
Branch : 4-0
Summary : Clean up IPSec DNS entries on scheduler startup
Details :Bug Fix - Problem Description: DNS entries bound by IPSec daemon failed to clean up if the PC does not gracefully shut down.

Solution Description:
If a PC was shutdown forcefully or because of power failure, the manually bound DNS entries from IPSec daemon may not be cleaned up properly. To remediate the changes, we could do a manual clean up whenever scheduler starts up. If the DNS backup registry values are still there, we should be able to get back the original settings.
Status : complete
Build : 0059
Contributors