Getting duplicate DNS entries for same IP address

dhcpdomain-name-systemvpn

I have a system (SYSTEMX) that is connected to our network through a VPN. Periodically the VPN gets disconnected and SYSTEMX loses its connection to the network. When this occurs I usually easily find out from a log generated during a nightly task that fails as a result of the sytem being offline.

I ping the system "ping SYSTEMX" and get timeouts as expected. Reconnect the VPN and it is good to go.

Two times however the log has had different results as a new system (SYSTEMSTEALTH) will come in and resolve to the same IP address that SYSTEMX was given.

I ping "ping SYSTEMX" and lo and behold responses come in.

When I do an "nslookup SYSTEMX" and "nslookup SYSTEMSTEALTH" both names resolve to the same IP address.

I am not an expert on network topology however it seems to me that upon distributing a new DHCP lease there should be communication to the name server to remove stale entries for that address to prevent this type of scenario.

Does anyone have any suggestions or are able to clarify a way to prevent this from occuring? I am working with my IT deptartment to resolve this issue, their current stance is that it is fine as SYSTEMX is not on the network SYSTEMSTEALTH comes in after and all is good. However being able to "ping SYSTEMX", connect to it, file share to it using admin shares; this does not seem right to me since SYSTEMX is really SYSTEMSTEALTH.

Thank you for your help.

Best Answer

What's happening is the VPN solution is registered a new PTR record every time a new connection is granted. This can also happen in any environment where dynamic DNS updates are permitted, BTW. So when you query based on IP, there are multiple PTR records because, as has been pointed out, the old ones haven't been cleaned up. So when you nslookup based on IP, you're getting one of the PTR records, which may not correspond to the correct computer name.

As has been mentioned, if the DNS server is set to scavenge, eventually the old PTR records will clean up, though this takes time. For instance, it could a few weeks in a default Windows Server 2003 DNS configuration (once scavenging is turned on).

And like what has already been mentioned, we found that by doing DHCP reservations was the way to go in those cases where it truly mattered to us. In cases where it didn't, we would ping the IP, verify it, then do an nbtstat -a IP address to see what Windows system was truly responding on that IP.

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

DNS Issues – Resolving Local Domain Name Issues on Windows 7

I ran into this problem. Unfortunately, the solution isn't as obvious as fixing the DNS suffix!

See this article for a complete explanation and the solution: http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx

TL;DR:

Windows 7 has a rule change compared to Windows XP when it comes to how the DNS resolver treats multi-level names: By default, Win7 will NOT append your DNS suffix to multi-level names, whereas Win XP did. This means that in Win7, FarmA.webstaging will not work, but webstaging by itself will work, as will FarmA.webstaging.yourcompany.com (i.e. the FQDN).

To fix: open up group policy editor and browse to:

Computer Configuration -> Administrative Templates -> Network -> DNS Client -> “Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries”

Set this to "Enabled" and restart your browser; it should fix the problem.

Best Answer

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

DNS Issues – Resolving Local Domain Name Issues on Windows 7

Related Topic