Anyone know of a good way to automatically clean up MS DNS records for VPN users? Our users are never on for more than eight hours at a time and aging/scavenging just isn’t the best solution for such an aggressive timeframe.
I find myself constantly going into DNS and looking for duplicates and deleting them so PDQ will work correctly. We use Pulse Secure for VPN.
Have the DHCP remove the DNS entry when the lease expires?
I had this same issue, on the network adapter for the VPN, IPv4 properties, DNS tab, Check the box to “Register this connection’s addresses in DNS.”
Only way I could find to do this remotely is by modifying the rasphone.pbk file. This is the non-optimized code I used.
#Prompt for IP or name
$ComputerName = Read-Host "Please enter a computer name or IP"
Clear-Host
#Retrieve currently logged on user
$Username = ((GWMI -Computer $ComputerName Win32_ComputerSystem).Username) -Split '\\'
$Username = $Username[1]
#Build path to file.
$RASPhoneBook = '\\' + $Computername + '\C$\users\' + $username + '\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk'
$RASPhoneBook
#Need to build file verification
#Change flag on file.
(Get-Content $RASPhoneBook) -Replace 'IpDnsFlags=0', 'IpDnsFlags=3' | Set-Content $RASPhoneBook
I just did a PDQ scan across the VPN subnet, and I’d plug the IP addresses it found in manually.
I managed to successfully resolve this. This may be useful to others having this issue, it’s not clear and the documentation on use cases aren’t great.
So basically our VPN appliance doesn’t just relay DHCP requests, it proxies them so that all lease requests appear to come from the inside interface of the appliance entirely. This severs the link between the requestor and provider and dynamic DNS cannot remove the entry once the lease is removed.
The solution was to move DHCP inside to a MS DHCP server. But that wasn’t all. I also had to create a service account and on the advanced tab of IPV4 for the server enable “DNS Dynamic Update Registration Credentials” This option will allow the DHCP server to add an ownership entry to the DNS record so that it has permission to delete the record when the lease is removed. (If you run Failover for DHCP these settings need to be on each scope/server)
At first, I enabled Dynamic updates to always dynamically update DNS records and to remove the lease when done. And it still wasn’t working. I checked the DHCP log and saw the DNS record update was failing. I checked the security of the DNS entry and saw my registration account wasn’t there.
I had to enable DHCP name protection on the scope. It turns out that the VPN appliance orphans the DHCP/DNS update relationship completely. MY DHCP scope has to completely own the DNS record created by the DHCP lease. Once I enabled name protection, the records started to show ownership from the service account and DNS entries are removed instantly on lease termination/expiration.
It took a good amount of labbing and staring at wireshark captures to figure this out, I hope someone finds this useful.
Thanks for all your replies, it seems as though moving DHCP from the VPN appliance to a machine running MS DHCP will be the best option.
Lots of options there for DHCP/DNS records I didn’t realize were there.
Can you use a different DHCP server for the VPN subnet? I use checkpoint as our VPN and I have the option to configure a scope just for VPN users and checkpoint deletes the lease after the max login time, in our case its 12 hrs.
Uncommon answers:
PDQ should handle stale addresses - it will test all addresses it finds. In Options->Preferences->Scanning, make sure “Ping before scanning” is enabled, and Wake-on-LAN scanning is disabled.
Never used Pulse Secure as a VPN (i always create openvpn servers) , check in the server settings if you can force clients to flush the dsn records.
A lot of VPN solutions dont use MS DCHP server, but hands out VPN IPs from an internal list. (OpenVPN based solutions).
DHCP leases and DNS entries are two separate things.
That doesn’t help with PDQ if there’s a stale entry for two machines with the same IP.
Pure OpenVPN should be able to use some external scope and DHCP, no?
I get that. I am guessing that you don’t have your DHCP Server or servers clean up leases and purge dns entries after they have expired?
Do you have dynamic DNS updates enabled?
The Pulse secure appliance is the DHCP server and does not have those options.
Can you post a screenshot of any relevant GPOs?