Mac Clients Keeping Old IPs via VPN on our DC

New Contributor III

We’ve recently noticed an issue that has probably been going on for a while now, where MacOS clients are registering their IP addresses as A records with the local DNS servers here. That’s great for when they are on the LAN, but when they register their IPs when VPNed in it becomes a problem if they never update them. So what were seeing is a VPN client will send to say server-dc04 it’s name and IP as say and it will also send it’s home wifi IP of say

So we have 2 records for it showing in DNS. And that’s fine, but the next day when they VPN in again, if they get a new IP address they will register that new IP, but not as an update, rather just an addition. This leaves it up to the DNS servers to ‘scavenge’ stale records, and these DNS/DCs only do this for our domain once every 7 days.


New Contributor

We have noticed this highlighted as well due to the COVID19 remote work orders. The issue that we see regularly is our Mac clients registering A records for both their VPN address as well as their home address. This is a minor inconvenience in terms of remoting into the machines occasionally, but does also cause some rather frustrating issues with our Forcepoint content filter. I've been looking into how this is normally dealt with for the last few days, but haven't found any great leads. Curiously enough, this does not seem to be an issue at all on our Windows clients.

When you say that the IP address will not update, are you referring to the home IP address registered in DNS or the address given out by your DHCP server? Are your PTR records correct?

New Contributor III

@bhollett thanks for response. The IPs and specifically the A records. The PTR records or zone files are specific to IP subnets, and for most of those subnets for home users, we don’t have a zone file for that particular subnet, so I’m not too worried about PTRs.
The DHCP server in the case of VPN clients is a very cut down version of a DHCP service which runs on the VPN server. Basically it simply hands out an IP address, subnet, router, DNS servers, and a search domain suffix like

Valued Contributor II

I imagine this is only a problem because the Macs are bound to Active Directory? If so, have you considered moving away from this? Even Microsoft is trying to get Windows customers off traditional AD and onto Azure.

New Contributor III

Macs are not bound to AD. Edit* I spaced, some are still bound to AD. Hmmmmm I checked the duplicates again and those Macs are in fact bound to AD....

Just not sure if simply moving to Azure is the answer to our problems. I am all ears. ;) We don't want our passwords stored in the cloud.