I use the version 6.0.8_149 of forticlient. In the configuration of the forticlient, you can tell him to execute a script at on connect. what is interesting is that I could (with the previous version 5) inject my script that modifies the name servers via dnsutil.

except that since the update to version 6, dnsutil no longer modifies nameservers

I manually tested via sudo scutil:

$sudo scutil
password: *****
> get State:/Network/Service/forticlientsslvpn/DNS
> d.show
<dictionary> {
  ServerAddresses : <array> {
    0 : xxx.xx.xxx.xx
    1 : yyy.yy.yyy.y
    2 : 127.0.0.1
  }
}
> d.remove ServerAddresses
> d.add ServerAddresses * 127.0.0.1 xxx.xx.xxx.xx
> set State:/Network/Service/forticlientsslvpn/DNS
> quit

Still got:

$ cat /etc/resolv.conf
nameserver xxx.xx.xxx.xx
nameserver yyy.yy.yyy.y
nameserver 127.0.0.1

as you can see, the resolv.conf does not change at all.

Does anyone have any ideas?

I thank you in advance for this.