DescriptionThis article describes the default behavior of how Apple iOs device DNS translation is done once connected over IPsec VPN.
SolutionDialUp tunnel setup options
1. Full tunneling mode
IPsec tunnel is created as described in the Fortinet Document Library and existing articles. In this setup only default route pointing towards the FortiGate is pushed to all remote clients. By this behavior all traffic is send towards the FortiGate and full traffic processing and inspection can be done.
2. Split tunnel mode
Once the split tunnel is configured remote clients will receive routing information for all protected subnets behind the FortiGate. List of this subnets is defined under the phase1 configuration
set ipv4-split-include "Protected_Subnets"
iOs device behavior for DNS requests
1. Once full tunneling is configured iOs devices will use received DNS server from tunnel configuration for all DNS resolution.
2. In split tunnel mode, specific DNS can be received via tunnel configuration. It can either use default interface DNS or manually specified servers via the command:
set ipv4-dns-server1 11.11.11.11
Once the specific DNS is received, the iOs device will use only this DNS server for name resolutions which belong under the domain defined in phase1 tunnel configuration by the parameter:
set domain fortinet.local
In this particular case DNS requests only for “*.fortinet.local” will be sent towards the specified DNS server 11.11.11.11 and all other request will be send over regular WiFi or GSM defined DNS server. Related Articles
Technical Note: FortiClient Dialup IPsec VPN (Split Tunneling)
