When FortiClient messes up your DNS configuration

It happened to me that using FortClient destroyed my DNS configuration on my OSX (El Capitan).

I could reach webservers by IP but not by DNS. The reason for this is that FortClient registers a global DNS resolver and puts in the DNS servers configured for the VPN tunnel. If those DNS server don’t resolve „public“ domains you won’t be able to reach websites as you are used to.

To resolve this issue the scutil command comes to your help.

  1. Open the terminal application and issue the command
    sudo scutil
  2. Now you can see the scutil shell
  3. Check if there is a configuration for FortiClient by entering the following command:
    list State:/Network/Service/forticlientsslvpn/DNS

    The shell should print something like subKey [0] = State:/Network/Service/forticlientsslvpn/DNS. If FortClient hasn’t registered any DNS configuration you will see no keys.

  4. Assuming you didn’t get no keys you can have a peek on the current configuration by doing
    get State:/Network/Service/forticlientsslvpn/DNS
    d.show

    You will see something like

     {
      ConfirmedServiceID : forticlientsslvpn
      ServerAddresses :  {
        0 : xxx.xxx.xxx.xxx
        1 : yyy.yyy.yyy.yyy
      }
      SupplementalMatchDomains :  {
        0 :
      }
      SupplementalMatchOrders :  {
        0 : 100000
      }
    }
    

    Remember the IP addresses listet in the  section ServerAddresses.

  5. Now the reconfiguration takes place. Issue the following commands:
    d.init
    d.add ServerAddresses 8.8.8.8 8.8.4.4 <REMEMBERED IP ADDRESSES>
    set State:/Network/Service/forticlientsslvpn/DNS
    quit
    

    This will set the Google DNS servers as primary resolvers and the previously set DNS servers as secondary resolvers.

Tip: You can compare the configurations by executing

scutil --dns

before and after taking theses steps.

Unfortunately, these configuration doesn’t survive reboots and VPN re-connects. Therefore, I wrapped these configuration steps in a shell script to automate these tasks.

#!/bin/bash
scutil <<EOF
d.init
d.add ServerAddresses 8.8.8.8 8.8.4.4 <REMEMBERED IP ADDRESSES>
set State:/Network/Service/forticlientsslvpn/DNS
quit
EOF

This script has to be executed with sudo.

2 Gedanken zu „When FortiClient messes up your DNS configuration“

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Time limit is exhausted. Please reload the CAPTCHA.