Dynamic DNS Registration over VPN?

18,963

Solution 1

In the SSLVPN adapter, in TCP/IP properties, DNS, make sure Register this connection's addresses in DNS actually checked.

Often on a VPN connection it isn't...

Solution 2

Your clients are not registering their IP addresses with DNS for the simple reason that they're not configure to, when connecting to the VPN. This behavior is called Dynamic DNS Registration, and in Windows, is a per-network adapter setting. Through the GUI, you'd enable or disable this on the network adapter Properties, the Networking tab, TCP/IP Properties, Advanced, DNS tab, as shown below.

Fortunately, it's possible to correct this for all your users. Unfortunately, it's not as simple as it should be - there's no built in GPO that controls this specific setting, which leaves this task up to scripts, or manual intervention. Hopefully the manual intervention road needs no real explanation (tell your users to do it, and/or do it for the ones who can't/won't), but there are three approaches to this problem that may merit some explanation.

Offload the DDNS registration work to your DHCP server.
- This may be a configurable option on your Fortinet (to register DHCP clients with a DNS server you provide).
Script the DDNS registration on the clients.
- I'm not one to reinvent the wheel, so see Evan Anderson's answer, that includes a script you'd use, to a similar question.
  - If you want to roll your own PowerShell script, you'd be looking at the SetDynamicDNSRegistration method of the Win32_NetworkAdapterConfiguration class.
- I would think the best results would be achieved by combining such a script with a logon or startup GPO, but could be implemented in other or simpler ways as well.
Check the VPN client installer documentation to see if this is a configurable option.
- When I had a similar issue at an old job, using the Cisco VPN client, DDNS registration was configurable via a simple config file in the installer package, which I altered to suit our needs and then baked into all our laptop images.

18,963

MartinC

Updated on September 20, 2022

Comments

MartinC 9 months

In our Windows AD domain, we have 2 DCs that also act as our DNS servers which allow the client computers to update their A records. We have a lot of outside salespeople, so some of our laptops have to go off-site for long periods of time and connect in through our (full tunnel) SSL VPN, using a Fortinet VPN client. DNS over the VPN tunnel works fine, VPN clients are able to resolve local hostnames perfectly.

The problem is that the clients connecting in over the VPN do not update the DNS records with their SSLVPN Adapter IP address. In fact, they don't update the DNS server at all. From my research, I've determined that clients are supposed to send an update to the DNS server "when a change occurs," but that doesn't seem to happen when the SSL VPN adapter connects and gets an IP address.

I have thought about deploying PowerShell scripts to all of the computers that employ the DNSCMD command when it detects that the SSL VPN adapter has an IP address, but that solution is far from ideal, feels overly complicated and very messy. I am hoping there is a simpler solution to this that I have not been able to dig up.
- MartinC about 9 years
  
  1) Client-to-site SSLVPN (full-client, full-tunnel) FortiClient is the VPN software specifically. 2) I need to be able to run several powershell scripts against their computers regardless if they are in the office or in the field, but I don't know where they are going to be at the time the script is run, thus I need DNS to update with the proper IP if they are on the VPN.
- HopelessN00b about 9 years
  
  I need to be able to run several powershell scripts against their computers Why not use Group Policy?
- MartinC about 9 years
  
  Use GP to do what exactly? I'm not a GP guru so the only thing I can think of is putting the script on each computer then scheduling a task through GP. This might be OK for some scripts, but I don't want to actually allow scripting on the client computers and sometimes I want to run these scripts on-demand, I'm gathering what I need through Get-WmiObject for the most part.
- kralyk about 9 years
  
  Are the VPN clients getting their IP from the Fortinet or from a Windows DHCP server? When a client is connected over VPN can they manually register via ipconfig /registerdns or does that not work either? Also, in the SSLVPN adapter, in TCP/IP properties, DNS, is Register this connection's addresses in DNS actually checked?
- MartinC about 9 years
  
  @TheCleaner Register this connection's addresses in DNS Oh my God, I looked all over the adapter for something like that. I will try that out and see if it works with my laptop tonight. Now to how to change that on all of the computers if it works :/
- kralyk about 9 years
  
  @MartinC - I'll set it as an answer for now, but if you find it still isn't working I'll retract it later.
- joeqwerty about 9 years
  
  Silly question, but why do they need to update DNS if they're offsite? Is the lack of DNS registration causing some issue?
- HopelessN00b about 9 years
  
  @joeqwerty Check his first comment - looks like he wants to run scripts against client machines that may or may not be connected through the VPN. Having all your clients registered in DNS give you a handy directory of hostnames to target your scripts against.
- joeqwerty about 9 years
  
  I missed that. My apologies.
MartinC about 9 years

I'll probably go with #2, thanks for the additional info :)
MartinC about 9 years

Worked like a charm!
Steve Lorimer over 4 years

@HopelessN00b are you aware of any way to do this in Linux?
Steve Lorimer over 4 years

@TheCleaner are you aware of any way to do this in Linux?
HopelessN00b over 4 years

@SteveLorimer No, but that sounds like a good question to ask.
kralyk over 4 years

@SteveLorimer - this is about the best you'll get if the DNS server is Windows based: serverfault.com/a/20082/7861