I've been trying to fine-tune our NIDS configuration (which predates my employment here) and more specifically trying to figure out why certain IP addresses/ranges that we don't use, keep appearing in reports/logs.
I think I've figured out the root cause, but I'm not sure of the best way to fix it:
We have a number of remote users who connect to our network by VPN. As best I can tell, when their laptops connect to the network, they're sending updates to the DNS server running on the DC with both the IP address of their VPN interface (routable on our network) and their private IP address on their home LAN (obviously not routable) - if I do an nslookup on a domain machine, the DC returns two A records, one for each address.
This has a slight ripple effect through the network - which manifests mostly with Windows Update Delivery Optimization, where the peer discovery process frequently gets the non-routable private IP somehow and then tries to download Windows updates from it.
Long story short: what is the best way to prevent VPN'ed machines from registering external private IP addresses with the DNS server running on the DC?