DHCP lease time and DNS scavenging

asked 2021-11-22T11:19:25.86+00:00
Michael Owen 1 Reputation point

Got a problem. We have 1 company who look after our servers with DHCP and DNS. We also have another company who look after our VPN. When it was all set up (before my time) the server assigns the DHCP leases to our local network but when coming through the VPN the 2nd company have set up the DCHP lease to come from their firewall.

The problem is this. the firewall leases the DHCP to last only as long as the client is connected. Once they disconnect the IP address is released back into the pool. But the DNS records are not updating so we are ending up with multiple devices with the same IP in DNS. This is causing a lot of issues from really slow connections through the firewall and support staff not being able to remote on to help (on 1 IP there where 8 devices).

Is there a way to fence off the VPN DHCP subnet so DNS can be set to scavenge the address quicker than the local devices?

Hope this makes sense.

Thanks

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,141 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
925 questions
Windows Server Management
Windows Server Management
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Management: The act or process of organizing, handling, directing or controlling something.
340 questions
No comments
{count} votes

5 answers

Sort by: Most helpful
  1. answered 2021-11-23T09:56:22.203+00:00
    Limitless Technology 37,286 Reputation points

    Hi there,

    When the scavenging period is configured on a DNS server, the timer starts for 7 days (or whatever the configured value is). Once the timer expires, the scavenging process runs. 7 days for scavenging is a default setting, you can leave it alone or configure whatever value you want.

    However, there is a simple way to speed up DNS propagation:
    Define or modify an A record that points your hostname to the new destination IP address.
    Set a minimal TTL for that DNS record—we recommend 5 minutes. Below that, many ISPs might ignore the TTL and retain the old record in cache.

    Here is a link as well to help you out https://learn.microsoft.com/en-us/answers/questions/57082/dns-aging-and-scavenging.html

    ------------------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    No comments

  2. answered 2021-11-23T14:22:42.177+00:00
    Michael Owen 1 Reputation point

    Thanks for the response.
    My problem is this. Scavenging is set to 7 days the same as the DHCP lease on the local network.
    Along can a firewall (FortiGate) which handles the VPN's and assigns the IP addresses for the VPN. These are set to go back into the pool one the VPN is broken/disconnected but DNS is holding onto the record for 7 days. Then someone else logs on to the VPN and picks up the IP address that has just been dropped and the DNS record now has 2 devices pointing at the same IP in DNS.
    Once this happens if someone logs a call for a faulty device we try to remote on and we connect to the second persons device as there are 2 records (If this makes sense my head is pickled trying to think it out). The crowd who set up the servers have 4 DC's and all of them are running DNS servers (a little overkill in my opinion) so we have to log on to each server and remove the records then get both users to log off the VPN, reboot and log back on again. This can be a pain but what makes it worse is (and this happened 3 times yesterday) the user logs back on to the VPN and get assigned a DCHP lease that is already attached to another device in the DNS records. So we then have to track down the issue again.
    Is there a way to segregate the VPN IP range in DNS so we can set them to scavenge every 5 minutes and leave the main DHCP as is on 7 days?

    Thanks

    No comments

  3. answered 2022-01-20T15:20:48.617+00:00
    Rusnak, Alan 1 Reputation point

    @Michael Owen , did you ever figure out a resolution to this issue? We are having the EXACT same problem and are experimenting with different lease/scavenging intervals, but nothing seems to eliminate the problem entirely.

    No comments

  4. answered 2022-01-24T15:30:32.817+00:00
    Michael Owen 1 Reputation point

    Hi RusnakAlan

    Sorry to say I haven't worked it out yet. The only way to stop too many issues is to delete all the DNS records for the VPN subnet every night manually. This means I only get a few problems during the day when people log on to the VPN multiple times due to moving about or disconnects.

    No comments

  5. answered 2022-11-30T12:49:08.773+00:00
    David Trevor 231 Reputation points

    We deal with the exact same problem and I solved this issue by manually clearing out the duplicate DNS values via Powershell. We run the following script every 5 minutes on the domain controller. Be sure to modify the 5 variables at the top. This script only works when the VPN subnet is uniquely identifiable in DNS and does not share IPs with other subnets. Another requirement is that the VPN clients must be pingable and reachable via Invoke-Command. It is also only written for IPv4. Hope this helps you.

    $DnsServer = "DC.company.local"  
    $Subnet = "192.168.200." # enter IP up to the point where the VPN subnet is uniquely identified within the DNS zone  
    $ForwardZone = "company.local"  
    $ReverseZone = "200.168.192.in-addr.arpa"  
    $forwardZoneRegex = [regex]"(.*\.company\.local)" # same as ForwardZone but add .* in front of it and escape all dots  
      
    function cleanForwardZone {  
        # get all VPN IP addresses from the DNS server and count them  
        $VpnIPs = @{}  
        Get-DnsServerResourceRecord -ZoneName $ForwardZone -ComputerName $DnsServer -RRType A | Where-Object {($_.RecordData.IPv4Address.IPAddressToString).StartsWith($Subnet)} | ForEach-Object {  
            $VpnIPs[$_.RecordData.IPv4Address.IPAddressToString] ++  
        }  
      
        # extract duplicate IPs from Hashtable and put them into a new array  
        $duplicateVpnIPs = @()  
        $VpnIPs.GetEnumerator() | Where-Object {$_.Value -gt 1} | ForEach-Object {  
            $duplicateVpnIPs += $_.Key.ToString()  
        }  
      
        if ($duplicateVpnIPs) {  
            foreach ($duplicateVpnIP in $duplicateVpnIPs) {  
                $sortedNodes = Get-DnsServerResourceRecord -ZoneName $ForwardZone -ComputerName $DnsServer -RRType A | Where-Object {$_.RecordData.IPv4Address.IPAddressToString -eq $duplicateVpnIP} | Sort-Object Timestamp  
                  
                if ($null -eq $sortedNodes.Count) {  
                    # this handles an edge case where one of the duplicate DNS entries was removed between the first and second call of Get-DnsServerResourceRecord, so the duplicate entry does not exist anymore. In this case $sortedNodes is not an array (only one element) and $sortedNodes.Count does not return anything  
                    continue  
                }  
      
                if (($sortedNodes[$sortedNodes.Count - 1].Timestamp) -eq ($sortedNodes[$sortedNodes.Count - 2].Timestamp)) {  
                    # the last two timestamps are identical. We need to find out which host is the right one. Invoke-Command only responds when the -ComputerName matches the actual hostname  
                    $host1 = Invoke-Command -ComputerName $sortedNodes[$sortedNodes.Count - 1].HostName -ScriptBlock {hostname} -ErrorAction SilentlyContinue  
                    $host2 = Invoke-Command -ComputerName $sortedNodes[$sortedNodes.Count - 2].HostName -ScriptBlock {hostname} -ErrorAction SilentlyContinue  
                  
                    if (($null -eq $host1) -and ($null -eq $host2)) {  
                        # both hosts were unreachable, delete all DNS entries  
                        $nodesToDelete = $sortedNodes  
                    } elseif ($null -ne $host1) {  
                        # host1 responded to the Invoke, he is the right one. Delete all but him  
                        $nodesToDelete = $sortedNodes | Where-Object {$_.HostName -ne $host1}  
                    } elseif ($null -ne $host2) {  
                        # host2 responded to the Invoke, he is the right one. Delete all but him  
                        $nodesToDelete = $sortedNodes | Where-Object {$_.HostName -ne $host2}  
                    }  
                } else {  
                    # no latest duplicate timestamp found. Keep latest entry and delete all others  
                    $nodesToDelete = $sortedNodes | Sort-Object Timestamp | Select-Object -First ($sortedNodes.Count - 1)  
                }  
                $verboseOutput = $nodesToDelete | Remove-DnsServerResourceRecord -ZoneName $ForwardZone -Force -Verbose 4>&1  
            }  
        }  
    }  
      
    function cleanReverseZone {  
        $PTRs = Get-DnsServerResourceRecord -ZoneName $ReverseZone -ComputerName $DnsServer -RRType PTR  
        foreach ($PTR in $PTRs) {  
            $hostName = ([regex]::Match($PTR.RecordData.PtrDomainName,$forwardZoneRegex)).Groups[1].Value  
            $forwardIP = (Resolve-DnsName -Name $hostName -DnsOnly -Type A -Server $DnsServer -ErrorAction SilentlyContinue).IPAddress  
            $reverseIP = $Subnet + $PTR.Hostname  
            $pingResult = Test-Connection -Count 1 -ComputerName $ReverseIP -Quiet  
      
            if ($pingResult -eq $false) {  
                # the host would get another IP the next time anyway, so we can safely delete the IP. Also we have to delete the record so that a new client can safely claim the PTR record  
                $verboseOutput = $PTR | Remove-DnsServerResourceRecord -ZoneName $ReverseZone -Force -Verbose 4>&1  
            } elseif (($pingResult -eq $true) -and ($forwardIP -eq $reverseIP)) {  
                # the IPs match, which means that the PTR record is correct because it mirrors the A record. Do nothing in this case. The possibility of multiple A records with the same IP is getting eliminated because we run "cleanForwardZone" first  
            } elseif ($forwardIP -ne $reverseIP) {  
                $verboseOutput = $PTR | Remove-DnsServerResourceRecord -ZoneName $ReverseZone -Force -Verbose 4>&1  
            }  
        }  
    }  
      
    # call functions  
    cleanForwardZone  
    cleanReverseZone  
    
    No comments