Forum Discussion

Greg_Vickers4's avatar
Greg_Vickers4
Copper Contributor
May 05, 2022

DNS duplicate record issue

Currently we are seeing duplicate DNS records for multiple DNS zones. This is specific to our VPN IP scopes, as other scopes do not appear to have this problem. In an effort to correct this issue, as...
DHCP
DNS
LainRobertson's avatar
LainRobertson
Silver Contributor
May 05, 2022

Greg_Vickers4 

 

Hey, Greg.

 

It doesn't necessarily sound like a permissions issue to me, to be honest. Happy to be wrong but I'll explain why I say that.

 

Behind the DNS Server service, the records are stored in an Active Directory partition - which I'm sure you already know (typically, they'll be in the DC=DomainDnsZones,... partition.)

 

What you see as two (or more) records in the DNS management console (or PowerShell) is actually just a single object within that AD partition, so from a permissions perspective, if you're seeing any kind of change at all, be that adding a new record (what you're seeing), changing an existing one, or deleting a record, then permissions aren't the issue.

 

Here's a quick visual example of what I'm talking about as seen via ldp.exe when looking at my adfs.robertsonpayne.com DNS record, where you can see (in blue) that there's two entries held within the single AD object.

 

 

What that leads me to believe in your situation is that something is explicitly requesting the addition of the VPN-based IP address rather than the updating of any existing value, and that is something I've seen VPN products do before.

 

Looking at a different scenario to further explain permissions, when you have one client that's been issued the the IP address that another client had previously but didn't de-register, that new client (this is assuming it's a Windows domain-joined client pointing at a writeable domain controller, in which case the default is to perform a dynamic update) cannot update the existing record, nor does it try to create a new one.

 

While I'm probably making myself look silly by stating the obvious, this is because the new client does not have permissions to the backing AD object - which DNS honours and DHCP behaviour varies depending on configuration.

 

Are the VPN clients pointing to writeable domain controllers for DNS? If so, then I am at a bit of a loss for the time being since they should be updating their own records directly - assuming the VPN adapter isn't precluded from doing so - but if not, then what you're describing does make sense.

 

You should be able to check your VPN client adapter's DNS registration configuration by running:

 

 

Get-DnsClient | ft -AutoSize InterfaceAlias, RegisterThisConnectionsAddress, UseSuffixWhenRegistering, ConnectionSpecificSuffix

 

 

Again, this is only relevant if the VPN client is pointing at writeable domain controllers. Otherwise, I feel like this is going to be an issue with the VPN server, possibly in conjunction with how DNS registration has been configured on the DHCP server.

 

Cheers,

Lain

 

Edited: Spelling corrections.