Sonicwall SSL VPN creates duplicate DNS records.

Comments

3 comments

  • Luke Nichols

    Andrew,

    I am not a DNS expert (and I've never used SonicWall), but I suspect what is happening is your remote users' computers are initiating their own dynamic DNS updates. That is how your AD DNS is getting updated. So, SonicWall is right that SSL VPN doesn't inherently make DNS records, but Windows does. Try disabling this setting for one of your problem children and see if it fixes the issue as a test. Make sure you do it on the SonicWall virtual NIC and not on their actual physical NIC:

    Also, SonicWall may say that they are not using DHCP for address assignment but frankly I'm skeptical. If there is a way to increase the DHCP lease duration that might help mitigate this issue, since you won't have two computers using the same IP within the span of a few minutes.

    Here is some more info that might be helpful:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771255(v=ws.11)?redirectedfrom=MSDN

    1
    Comment actions Permalink
  • Andrew Saarima

     I suspect what is happening is your remote users' computers are initiating their own dynamic DNS updates.

    -I think you're right, that makes sense.

     

    Try disabling this setting for one of your problem children and see if it fixes the issue as a test. Make sure you do it on the SonicWall virtual NIC and not on their actual physical NIC:

    -But then wouldn't I not have any DNS records for these computers? And wouldn't that in turn cripple PDQ Inventory's process of scanning the computers, and Deploys process of finding the computer to deploy to?

     

    If there is a way to increase the DHCP lease duration that might help mitigate this issue, since you won't have two computers using the same IP within the span of a few minutes.

    -This would absolutely solve the problem, but again, the Address Object in Sonicwall doesn't use DHCP and has no modifiable lease duration because it's set to only exist for the length of the session. This doesn't seem to be something they let you change, unfortunately. 

    1
    Comment actions Permalink
  • Luke Nichols

    Ah, I missed that these are remote users. I was thinking they were just laptop users occasionally connecting to VPN offsite from their laptops or something. You are correct that would completely break DNS for that computer, since that is the only connection that PDQ ever has to that machine.

    Unfortunately I can't think of an obvious solution. In theory something like the PDQ agent could help mitigate this, but it's deprecated and there is no ETA on a replacement.

    Are there logs in place for the SonicWall that you can easily access? You could probably have something like a PowerShell script in a scheduled task running every x minutes to clean up DNS objects for old SonicWall connections. It's a hack but it might work.

    1
    Comment actions Permalink

Please sign in to leave a comment.