Technical Tip: Split DNS support for SSL VPN portals
Products
FortiGate v6.0
FortiGate v6.2
FortiGate v6.4
Description
This article describes how to configure split DNS support for SSL VPN portals.
Solution
Split DNS for SSL VPN portals allows the user to specify which domains are resolved by the DNS server specified by the VPN, while all other domains are resolved by the DNS specified locally.

FortiClient receives this information when the client connects in tunnel mode.
FortiClient will push the DNS servers specified to the clients computer and all DNS requests will first attempt use this DNS server.
The FortiClient network driver will intercept DNS requests; if they match the 'split-dns' listed, the DNS request will go across the tunnel and be resolved by the specified DNS servers


If the domain does not match 'split-dns' then the FortiClient network driver will respond to the DNS request with 'no such name' forcing the DNS request to be resolved by the physical adapter DNS.

To configure from GUI go to VPN -> SSL-VPN Portals and choose any of tunnel mode profile .

Enable DNS split tunneling.







To configure split DNS support for SSL VPN portals -from CLI.
# config vpn ssl web portal
    edit <name>
# config split-dns
    edit <any integer >
        set domains "abc.com, cde.com"
        set dns-server1 10.1.1.10
        set dns-server2 10.1.1.20
        set ipv6-dns-server1 xxxxxxxxxxxx
        set ipv6-dns-server2 xxxxxxxxxxxx
    next
...
end
end
Last Modified Date: 04-24-2020 Document ID: FD48421