Tunneling IP address on Mac/DNS

DavidN
Contributor

We are using Zscaler in our organization. Within the last few months we started seeing the error "You cannot control your own screen" when screen sharing or using ARD. We discovered this.

OS - 10.14.6 AND 10.15.4

In terminal:
host 'computername' = computername has address 10.3.10.23 computername has address 100.64.0.1

The issue is that our DNS is registering the 100.64.0.1 tunneling address to multiple computers. This second DNS is registered with Windows domain and appears on PC computers as well when resolving the hostname of the Mac computer(s)

ifconfig
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 100.64.0.1 --> 100.64.0.1 netmask 0xffff0000

If Zscaler is off, 100.64.0.1 IP goes away.

Zscaler says talk to Apple. Zscaler's response:
"Just before nsupdate there is some activity from opendirectoryd, which is responsible for working with Active Directory. Probably nsupdate was called from it as part of standard flow.
Zapp doesn't call nsupdate ever, so please check this problem on Active Directory side or contact Apple support for clarification."

Apple support says it's the third party app since it is only exhibited when Zscaler is on.

I've found a similar post here:
https://knowledge.broadcom.com/external/article/187967/zscaler-vpn-connections-report-regular-i.html

And this talks about "Back to my Mac" which has been deprecated.
https://community.spiceworks.com/topic/2163518-invalid-ips-showing-up-in-windows-2012-r2-dns

Any help would be appreciated.

1 ACCEPTED SOLUTION

DavidN
Contributor

Found a solution to this. We can limit which interfaces are registering with DNS using the command dsconfigad -restrictDDNS "en0,en1," etc.

Info here:
https://support.apple.com/guide/directory-utility/configure-domain-access-diru11f4f748/mac And
https://support.apple.com/en-us/HT200007

Created an extension attribute to report:

!/bin/sh

restrictddns=/usr/sbin/dsconfigad -show | grep "Restrict Dynamic DNS updates" | awk '{ print $6,$7 }'

echo "<result>$restrictddns</result>"

And script to set the restriction:
dsconfigad -restrictDDNS "en0,en1,en2,en3,en4,en5"

View solution in original post

1 REPLY 1

DavidN
Contributor

Found a solution to this. We can limit which interfaces are registering with DNS using the command dsconfigad -restrictDDNS "en0,en1," etc.

Info here:
https://support.apple.com/guide/directory-utility/configure-domain-access-diru11f4f748/mac And
https://support.apple.com/en-us/HT200007

Created an extension attribute to report:

!/bin/sh

restrictddns=/usr/sbin/dsconfigad -show | grep "Restrict Dynamic DNS updates" | awk '{ print $6,$7 }'

echo "<result>$restrictddns</result>"

And script to set the restriction:
dsconfigad -restrictDDNS "en0,en1,en2,en3,en4,en5"