Re: Pulse Secure Client - Registering DNS

KAS · ‎02-29-2020

Current scenario:

When a user connects to VPN with the full Pulse Secure Desktop client, multiple DNS records are published in DNS for the client.

For example, when I connect the following IP Addresses are registered in DNS for the client:

10.0.0.1 (Corporate VPN IP Address)

192.168.1.2 (Internal, Private IP Address)

Is it possible to prevent the client from registering more than just the corporate IP Address in DNS? With both records published, attempting to ping / connect to devices on VPN doesn't always work as the private IP Address is returned at random.

flipPipe · ‎03-02-2020

Hi,

Who manages the computer, can decide which interfaces register their IPs.

https://docs.microsoft.com/en-us/previous-versions//cc959739(v=technet.10)

Best Regards,

KAS · ‎03-02-2020

That implies that I would need to change configuration of the client when it is remote vs the next day when it is back in the office. The Pulse Secure Desktop client already does a terrible job of detecting Domain vs Private network locations let alone, trying to script a change at login to prevent other adapters from registering in DNS.

davidribeiro · ‎04-26-2020

Hello, we are having the same issue and this is very annoying. We are getting many incorrect entries in DNS because of that. My temporary solution was to deploy a GPO that disables the "Register this interface's address in DNS" and enable Secure Dynamic DNS updates. Is there a way that Pulse can only send its own IP to DNS?

[email protected]ood.com · ‎05-27-2020

Same issue here. Would be nice to hear from someone from Pulse instead of being ignored for months

pwallace · ‎06-01-2020

I sent a PM about this - let me know if I can help.

aneville · ‎06-18-2020

Curious if anyone has found a fix or workaround for this...

KAS · ‎07-02-2020

Has anyone had a chance to look / try this yet?

https://support.microsoft.com/en-us/help/4505658/windows-10-update-kb4505658

Specifically:

Microsoft introduced a new Registry Key to fix this issue in KB4507466

Addresses an issue that causes a Windows device to incorrectly register host A records for two network interface controllers (NIC) after establishing a virtual private network (VPN) connection to the corporate domain. This occurs when the device is configured with two NICs and one of them is a VPN. To implement this solution, make the following registry changes and then restart your device:

Setting: DisableNRPTForAdapterRegistration
Path: HKLM\System\CurrentControlSet\Services\Dnscache\Parameters
Type: DWORD
Value: A value of 1 means that only the host A records for the VPN interface will register on an active VPN connection. A value of 0 (default) means host A records will also be registered for other local interfaces.

aneville · ‎07-07-2020

We looked at this, but didn't notice any difference when adding the reg key (the update was already applied). If anyone is seeing this fix the problem, I'd be curious to know more details.

jchettid · ‎02-18-2021

This is working as designed. FQDN split tunneling will need to modify the DNS setting on both physical and virtual adapters. Therefore, DNS entries from both the virtual and physical interfaces get registered.

Possible workarounds:

Use IP-based split tunneling
Manual de-register the DNS entries on the endpoints

Please follow the instructions given below to de-register the DNS entries.

Open Control Panel.
Click on Network and Internet.
Click on Network and Sharing Center.
Click the Change adapter settings option in the left pane.
Right-click the network interface of the adapter that you don't want the DNS to be register and select the Properties option.
Select and check the Internet Protocol Version 4 (TCP/IPv4) option.
Click the Properties button.
Click the Advanced button.
Click the DNS tab.
Uncheck “Register this connection’s addresses in DNS” for the interfaces
Repeat the same steps for the other adapters that you don't want the DNS to be register

I understand this is going to be a challenge as there might be lot of users. Please check with your network team if this case be pushed via Group policy or Script. There is already an Enhancement Request. Please reach out to your account manager.