none
Help cleaning up DNS issues with DHCP/DNS config RRS feed

  • Question

  • We are having problems with duplicate DNS records or records not getting updated depending on where the client is connecting from.  We've got 3 primary DHCP zones - LAN, WLAN, VPN and each present their own issue.  VPN addresses are currently being handed out by our ASA using Anyconnect.  Those DNS records aren't getting deleted or updated when a client disconnects, so we end up with an IP having multiple A records.  Also, when a user transitions between WLAN and LAN or vice versa, the DNS record isn't always being updated, so it'll have the LAN address when they're connected to WLAN.

    DHCP is configured to update DNS, always dynamically update A/PTR, and discard when lease is deleted.

    Currently, I'm using the DNSProxyUpdate AD group to allow that updating.

    I have scavenging set up for 4d no-refresh/4d refresh, running every 7 days.

    Lease times:

    LAN=8d

    WLAN=1d

    VPN=unknown, but seems very short.

    How should I go about tidying this up? Thank you

    Wednesday, February 22, 2017 8:58 PM

All replies

  • Hi, aobrien5. Looks like you need to somehow monitor your VPN connections to get clue of how to configure your DNS (they can happen every 1 hr. or every 24 hr. those numbers aren't same). It can be surely done with SNMP. After getting a "full picture" you should make a decision. You shouldn't start with very aggressive configuration without obtaining "field info".
    Wednesday, February 22, 2017 11:04 PM
  • Hi Aobrien,

    >> Those DNS records aren't getting deleted or updated when a client disconnects

    Please check if DHCP server has permission to deleted A record of clients.

    Have you tried to update A records by running command?

    How about PTR records? Could PTR records be registered by DHCP servers?

    Have you found related information exist on DHCP server or DNS server?

    You could check similar case below to troubleshoot issue:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/8d4b5f8e-3290-4a9b-8f9d-68fafdd895a2/dhcp-service-not-siscarding-a-and-ptr-records-in-dns-when-lease-is-deleted?forum=winserverNIS

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 23, 2017 7:00 AM
  • So, for the Anyconnect, it's not using any kind of DHCP, just an internal IP address pool that it cycles through.  Clients are submitting their own DNS records and so I'm guessing they won't be deleted until they're scavenged.  Seems like that's less than ideal.

    I'm going to create a DNSUpdateProxy user account for DHCP to use.  Does that need any special permissions set anywhere?  Anything else that should be done to prep the existing records for that new account?

    Friday, February 24, 2017 9:17 PM
  • Hi Aobrien,

    >>Does that need any special permissions set anywhere?  Anything else that should be done to prep the existing records for that new account?

    You could check link below for further understanding:

    DNS Record Ownership and the DnsUpdateProxy Group

    https://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 27, 2017 4:10 AM
  • I've got the user configured for DHCP updates now.

    I've also moved Anyconnect to use the DHCP server and that's working well (with a 2hr lease period). However, the DNS records are not being removed when the lease expires and duplicates are still being registered.  Why is that? Where can I look to find the problem?


    Edit: DNSUpdateProxy group doesn't have any rights to the DNS record, but DNSAdmins group does.  I added my user to that group now, too.  The records owner is listed as the machine it relates to, not the DHCP server.  Is this relevant/correct?
    • Edited by aobrien5 Tuesday, February 28, 2017 5:18 PM more info
    Tuesday, February 28, 2017 5:01 PM
  • Hi Aobrien,

    >>Why is that? Where can I look to find the problem?

    You could create event for DNS server, and check which device register this record.

    >>The records owner is listed as the machine it relates to, not the DHCP server.  Is this relevant/correct?

    Yes, if you have configured client register A record to DNS server, it is correct.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 1, 2017 3:03 AM
  • Got a document on how to create the event?

    I have logging turned on but all I see are "bad packet" events and zone transfers.

    Wednesday, March 1, 2017 6:16 PM
  • Hi Aobrien,

    Please check link below to create event for DNS server:

    DNS Logging and Diagnostics

    https://technet.microsoft.com/en-us/library/dn800669(v=ws.11).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 2, 2017 2:13 AM
  • How about for 08R2?  I'm not finding related documents for that.

    FWIW, all of my problems are persisting with the changes that have already been made.  Disconcerting.

    Edit: Well, I found the Diagnostic Logging tab and most of the things I see are like this:

    3/3/2017 2:44:19 PM 08F0 PACKET  00000000035F97A0 UDP Rcv 10.x.x.14       2c8e   U [0028       NOERROR] SOA    (7)domain(3)com(0)

    3/3/2017 2:44:20 PM 0438 PACKET  00000000035F97A0 UDP Snd 10.x.x.14       2c8e R U [05a8       REFUSED] SOA    (7)domain(3)com(0)

    Why are my VPN clients trying to Update the SOA record?

    • Edited by aobrien5 Friday, March 3, 2017 8:55 PM
    Friday, March 3, 2017 8:32 PM
  • Hi Aobrien,

    As far as I know, client will not update SOA record to DNS server.

    And when client perform records registration, it will query SOA record base on its local suffix.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 6, 2017 1:47 AM
  • The U here before the bracket indicates an Update request.  The second record (the response) is refusing, obviously.

    2c8e   U [0028       NOERROR] SOA    (7)domain(3)com(0)

    2c8e R U [05a8       REFUSED] SOA    (7)domain(3)com(0)

    But why aren't these being registered by the DHCP server so they can be deleted when the lease expires?  Or, since the DHCP server is using an account with rights, why isn't it deleting the records when the lease expires no matter who registers/updates it?

    Monday, March 6, 2017 2:41 PM
  • Hi Aobrien,

    >>why aren't these being registered by the DHCP server so they can be deleted when the lease expires?

    You could configure it on DHCP server.

    Please reference picture below to understand it:

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 7, 2017 2:12 AM
  • Thanks, but that's how mine has always been configured.  It's just not working.
    Tuesday, March 7, 2017 2:08 PM
  • Hi Aobrien,

    I am sorry that this issue still hasn't been resolved.

    If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:

    http://support.microsoft.com/contactus/?ln=en-au

    Have a nice day!

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 8, 2017 2:50 AM