Always on VPN and stale DNS records

I’ve been having an irritating issue with always on vpn since I implemented it.

Everything works correctly, including DNS, however, because always on vpn handles DHCP, and because it likes to recycle ip addresses, I suffer from outdated DNS for the VPN hostnames very quickly.

I’ve written a script that purges DNS records of clients not connected, but I’ve seen client’s change vpn LAN addresses in less than 15 minutes.

Is there any way to disable this recycle behavior for always on vpn? I’ve got a whole /16 block to use for IPs and only a dozen vpn clients. Limited IPs is not an issue. Having the same 12 IPs recycled when a client disconnects is causing an issue.

You are an absolute madman for setting up AOVPN for 12 users. Congrats on getting it working. I would recommend you don’t serve DHCP from the RRAS server, but instead serve it from your DC. Setup DNS scavenging for the zone and let windows automagically solve this problem for you DNS Scavenging - Everything you need to know

We are having the exact same problem and its causing issues with Network Name Resolution in Microsoft Defender for Identity. Have you managed to figure out a workaround?

RRAS is using DHCP relay to the DC. The DC is doing DHCP.

RRAS however grabs the IPs in blocks at a time and then hands them out to clients itself. Leases from DHCP will show the RRAS server as the holder of the IP with “RAS” being the unique ID.

I already have DNS scavenging active and had mentioned an even more aggressive script to clean up DNS records for the VPN subnet.

The issues are that VPN clients are changing LAN IPs constantly due to short disconnects. RRAS will give them a new IP instead of reusing their last one.

The windows clients don’t seem to try to register the new IP to DNS on short disconnects. I’ve seen clients last less than five minutes with the same LAN ip.

I believe the disconnects are just from users with crappy home wifi as testing on stable personal internet has never shown early disconnection.

The issue is I can’t make any changes to RRAS DHCP to resolve the recycling of IPs in short duration.

No. A script that cleans up DNS records for devices in the VPN subnet was the best I can do.

ugh https://imgur.com/a/qWppJog

Got it, we’re on the same page now. Can you confirm your vpn config you deploy to clients has RegisterDNS set to True? I’m looking at Always On VPN DNS Registration Update Available | Richard M. Hicks Consulting, Inc.

Would you be willing to share?

Yes. <RegisterDNS>true</RegisterDNS> is set in the vpn profile xml

Sure. Let me clean it up tomorrow and I’ll post it on github.

This script checks for IPs based on search pattern. For example -Subnet '10.20.*' would be 10.20.0.0/16

The script also checks for unresponsive clients by pinging them. If pings are blocked you might want to use the -NoPing argument or it will remove those records for unresponsive clients.

Thank you very much. How often do you have this running out of interest?

Scheduled task on the primary DHCP server running as a service account that has admin on the server. Trigger is every five minutes.

I sign the scrip and set the execution policy to all signed.