none
VPN Subnet clients not registering in DNS RRS feed

  • Question

  • Hello,

    Noticed an odd issue today, and in my opinion a bit of an odd setup by the networking team who manages the Cisco VPN hardware and settings (I'm more of a Windows guy).

    • Cisco device handles VPN connection, handles DHCP for VPN clients, and points to my Windows DNS servers
    • A client connects to a VPN service in City A, authenticates to an AD DC in City A
    • A client receives 172.1.1.x IP via Cisco DHCP service
    • Cisco DHCP service says to client to use a Primary DNS server in Azure (odd), and a secondary DNS server in City B
      (double take odd!)
      (yes, the DC in City A is already running DNS for other subnets.  redonkulous, sigh)
    • So now the client is connected,
    • can authenticate with AD,
    • can access resources and DNS names etc. 
    • BUT I found that the servers cannot find the client (push policies, updates, remote control, etc)

    In DNS, I see in some cases there are many devices with the same IP address (scavenging is setup, and secure updates enforced), and for this particular example, the device is not in DNS at all.  I waited an hour, tried IPCONFIG /REGISTERDNS, no change.

    A few days ago, a different computer connecting from the Philippines, same method, same VPN.  However, when pinging the computer the wrong IP address was returned.  After about 15-30 minutes, the wrong IP address was "forgotten" and the proper device became pingable.

    So, I have a few questions:

    1) any tips or ideas what may be going on?

    2) are my assumptions correct?

    • when the cisco device hands out an IP, the DHCP service would be trying to create DNS records, correct?
    • if the networking guys did not setup some kind of authentication for DHCP to my AD servers for DNS registration, my DNS settings would have to require unsecure updates, correct?
    Thursday, February 16, 2017 6:23 AM

All replies

  • Hi Drew,

    >> I see in some cases there are many devices with the same IP address

    Have you checked if address is correct on devices?

    >>when pinging the computer the wrong IP address was returned

    Did you ping computer by using FQDN?

    >> I waited an hour, tried IPCONFIG /REGISTERDNS, no change.

    Have you tried to manually delete A record of device before command is ran?

    >>when the cisco device hands out an IP, the DHCP service would be trying to create DNS records, correct?

    No, DNS client service will update A record, and DHCP server will update PTR record, if DHCP server has been enabled dynamically updates record with DNS server.>>if the networking guys did not setup some kind of authentication for DHCP to my AD servers for DNS registration, my DNS settings would have to require unsecure updates, correct?

    No, you could configure unsecure update even though there has no policy for DHCP server.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 17, 2017 5:53 AM
  • Hi Drew,

    are my assumptions correct?

    • when the cisco device hands out an IP, the DHCP service would be trying to create DNS records, correct?

     - if Cisco DHCP service has the right to update your DNS zones - yes, if it does't have - no. You can (if you can on Cisco) configure a certain user account under wich DHCP service will update the DNS zones, give this account permissions to read/write/create/delete child objects in your zones and see if it helps.

    • if the networking guys did not setup some kind of authentication for DHCP to my AD servers for DNS registration, my DNS settings would have to require unsecure updates, correct? - no for the forward zone. If your VPN clients use domain accounts they can update their DNS records (at least A) directly in DNS, in this case it does not matter how your DHCP is authorized/not authorized in AD. For the PTR zone probaly yes. (I'm writing probably because I offen see PTR records in my reverse zones which are registered (owned) NOT by the DHCP server but by the respective computer accounts themselves, much like those in A-zones).

    Regards,

    Michael


    • Edited by MF47 Tuesday, February 21, 2017 7:09 PM typo
    Tuesday, February 21, 2017 7:08 PM