Apr 22 2019 11:18 AM
Apr 22 2019 11:18 AM
I've been trying to fine-tune our NIDS configuration (which predates my employment here) and more specifically trying to figure out why certain IP addresses/ranges that we don't use, keep appearing in reports/logs.
I think I've figured out the root cause, but I'm not sure of the best way to fix it:
We have a number of remote users who connect to our network by VPN. As best I can tell, when their laptops connect to the network, they're sending updates to the DNS server running on the DC with both the IP address of their VPN interface (routable on our network) and their private IP address on their home LAN (obviously not routable) - if I do an nslookup on a domain machine, the DC returns two A records, one for each address.
This has a slight ripple effect through the network - which manifests mostly with Windows Update Delivery Optimization, where the peer discovery process frequently gets the non-routable private IP somehow and then tries to download Windows updates from it.
Long story short: what is the best way to prevent VPN'ed machines from registering external private IP addresses with the DNS server running on the DC?
May 14 2020 07:14 AM
We are experiencing the exact same issue, please respond if you found a resolution to this issue.
Jun 08 2020 05:24 PM
@Hohmaniacs1 Ditto! I'm seeing their home LAN IP as well as their VPN IP. This is totally strange. I'm assuming it has something to do with our Firewall because when I connect in via Azure VPN instead of our default Firewall VPN no DNS record even shows up for my test device.... now I have 2 concerns. Unable to reach an Azure connected client and having an unroutable LAN IP address in my DNS. Weird.
Jun 08 2020 05:32 PM
I have a case open with Microsoft, will update when I hear anything. So far they have no clue.
Jun 16 2020 08:23 AM - edited Jun 22 2020 10:22 AM
Think I may have found the cause of our VPN Endpoints forwarding their VPN IP as well as their home LAN IP in our internal DNS. There was a IP Helper set in our Fortigate Firewall that was set to "help" DNS pass though. After disabling it then connecting to VPN from my test machine I'm now only seeing the routable VPN IP address and not the Endpoints Home LAN IP address. I tried removing the invalid DNS entries but they slowly show back up, it appears this setting may require an endpoint to disconnect and then reconnect in order to be applied.
Dunno if that will help your situation but that appears to be what was causing our DNS issue.
Correction: This did not resolve our DNS issue for remote clients. I'm leaving that up as an idea for others but I did finally find out what is causing it. If a user connects from home and is hardwaired and connected via WiFi, they then connect to VPN and the tunnel utlizes one adapter. The adapter it isn't using is the IP address of the device that gets added to our DNS. The Local LAN IP address of the adapter VPN is utilizing is NOT added to our DNS.
I've still yet to find a solution to this other then disabling the WiFi adapters or disabling the "Register this connection's address in DNS".
Jun 25 2020 04:28 PM
Here is the fix, https://support.f5.com/csp/article/K02674159
Create this key and your done.
Jun 26 2020 08:29 AM
Is this specific to BIG-IP Edge Clients? The registry entry looks generic, just wanted to make sure.
Oct 19 2020 03:50 PM
@Hohmaniacs1 - That key doesn't appear to work with third party VPN like FortiClient, so it's most likely not a one-size-fits-all fix.