DNS through VPN

I have a DMZ switch set up to host websites that can be accessed externally and that's all working fine except for when a user tries to access those sites while connected to VPN.
I'm not sure how to set up DNS (or if I can) to make this work properly.
When I ping the site I get the local IP back and not the external IP which is expected when connected to VPN. If I add the external IP and the URL to the host file then I can connect without issue but I'm hoping to avoid doing that for all users.
I would like to be able to connect to external and internal sites when connected to VPN.
Firewall is a Fortinet 200B and it's using split tunneling for traffic. Sites are hosted on a windows 2008R2 server.

Hopefully that makes sense, please let me know if you need more info.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


You are allowed to define your own DNS servers on SSL VPN settings page. Make sure that these DNS IP addresses are routed via VPN tunnel. You office dns server should resolve internal and external domains.

If not, define primary server as internal DNS IP (Office IP) and Secondary as external IP (example

Good Luck!
Satyendra SharmaMicrosoft UC Technical ArchitectCommented:
Do you have a different DNS environment for VPN solution or you use the same core DNS and what is it (windows, infoblox or something else)?

Adding a host entry on the clients is another option to resolve your site to the external DNS IP instead of internal this will override DNS query, but may not be the idle solution.
WinsoupAuthor Commented:
I have the primary server defined as our office DNS right now and the secondary as as you stated. The problem is that it doesn't use the external IP address, it uses the IP assigned in the DMZ environment so wouldn't be able to resolve that anyway. These internal IP's are completely separate from the rest of our LAN.
I thought maybe there was another rule or something I had to define in the firewall but right now I'm allowing traffic from the VPN tunnel to the DMZ port on the firewall so that should be fine. And I can connect if I use the IP so I know it allows the traffic through but it's not resolving the 172.16.x.x IP that I have assigned to it.

VPN users and internal office users use the same DNS environment which is Windows.
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

I have the primary server defined as our office DNS right now and the secondary as as you stated.
There is no point in having both internal DNS and external DNS assigned.  Unless they both have the exact same records, it will just cause intermittent issues in trying to reach resources which have differing records.  It's the same concept as never assigning your internal machines on a domain to use any DNS except those which have full knowledge of your AD.

Beyond hosts files, your only resolution here (in regards to name resolution) would be to have the VPN use a DNS server(s) that has the records you want.  Beyond DNS, if you just allowed the traffic from the VPN to the DMZ and had the necessary routing information on the clients it would work (for example, having a static route where trying to access the DMZ IP subnet would use the VPN interface).  However, I'm not sure how you would automate deploying the static route.
Satyendra SharmaMicrosoft UC Technical ArchitectCommented:
Another option would be to give a different url to the VPN users and resolve this new url into your DMZ.
Did you allow UDP traffic on port 53 from VPN to your internal DNS? How do your internal clients resolve external adresses?
WinsoupAuthor Commented:
It doesn't have an issue resolving any other internal IP addresses, only the ones in the DMZ. So access to the DNS Servers for VPN is allowed already.
Internal clients resolve external IP addresses using forwarders to our ISP's DNS Servers.
Do you have for DMZ separated DNS server to resolve hosts in DMZ zone? How do your internal clients resolve hosts in DMZ zone?
WinsoupAuthor Commented:
No I don't have a separate DNS server for the DMZ Zone.
Internal clients cannot resolve host names of DMZ servers but they can resolve the website IP's because I have a reverse lookup zone created in the DNS server and a rule created in the firewall to allow HTTP access for internal clients.

The hostname I'm trying to resolve has a public IP address but when VPN is connected it tries to resolve the internal IP address instead of the public IP address. Is there a way to force it to the public IP so it gets the correct DNS server?
At one point you say that the name resolves to the internal IP, and then at another you say it doesn't.  Which is it?

Pretty sure I've already stated this, but here it is.
If you want the name to be resolved to the public IP, you either have to :
1) use DNS servers that have that info, or
2) use HOSTS files

If the name resolves to the private IP (and will remain that way), then you have to ensure the correct routing info is in place on the client so that traffic destined for the DMZ range is routed over the VPN (since you're using split-tunnel), and also that it will be routed from the VPN server correctly.  Some VPN servers allow you define what networks are routed over the split-tunnel (I can't advise you on the Fortinet).  You can see routing info on Windows with the route print command.
WinsoupAuthor Commented:
There was another policy that needed to be created in the firewall to allow VPN users to access the DMZ.
Fortinet was able to help with this issue. This can be closed.
Thanks for the replies everyone.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WinsoupAuthor Commented:
Fortinet Support provided the solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.