Jump to content
Welcome to our new Citrix community!

VPN Client DDNS registration is being refused by Infoblox

Lance Baumgartner

Recommended Posts

We have an "Always ON" full VPN solution with the GW hosted on VPX Netscalers. Windows 10 clients set up a machine tunnel in one IP space then migrate to a user tunnel after MFA in a final IP space configured on the GW. Dynamic DNS updates are being refused by Infoblox. You can see the capture. 


Anyone seen this before?


Netscaler VPX version 13.0 88.14
Full VPN "always on" gateway
Have an IP pool for client machine tunnel and user tunnel after MFA

Clients Windows 10 Laptops running Citrix Secure Access
secureDNSUpdate regkey set to 2 for secure updates only
Infoblox DNS Appliance set for secure DDNS


Capture snipet.PNG

Link to comment
Share on other sites

There are bugs with secureDNSUpdate, but in older 13.0 builds. Within 88.14 it should work and I can confirm this (with Windows DNS).  Also check if you're seeing succesful Kerberos requests from your clients, as secure dynamic DNS relies on Kerberos. What happens when you set the Regkey to 1 and allow also unsecure DNS updates on your Infoblox Appliance? So is it only a secureDNS problem?




Link to comment
Share on other sites

I did the regex change to 1. I was doing 2 to secure only. No registration still. I will check on Kerboros. 


A little more transparency from me.. We have 3 DNS servers. Two take all the queries. The "master" is the only one that takes DDNS registration. I load balance the 2 that take queries but not the master. When I add the Master that takes DDNS, it works. But I cannot place this into the pool because it is not designed to take queries. I get intermittent failures from everyone because it is not recursive. 


It would be cool if I could somehow direct all the DDNS traffic to the master separately. I write F5 iRules that would allow me to do this but I am not familiar enough with the specific messages required or how I might separate this with a Netscaler. 

Link to comment
Share on other sites

I'm now having exactly the same issue with Infoblox and NetScaler SSLVPN at one customer.

The main problem is how we have to commit DNS Server to SSLVPN User-Sessions. In Citrix Gateway Global settings you're able to insert IP addresses of DNS Hosts, but this is appearing global, so no option for us. 


Also the defined DNS Servers in general on NetScaler are also send to the client, but these are differencing to the client DNS Infoblox Servers. 

In Session profiles it's only possible to insert a LB vServer for DNS, which brings back the Kerberos issues, as the client has to request directly to the infoblox DNS Servers. I am actually thinking about how this could be solved as it's a silly design issue on how NetScaler is processing DNS with SSLVPN.

Link to comment
Share on other sites

Did some testing... I changed the global DNS settings to my Infoblox IPs and disabled ALL DNS LB-vServer in any Session Profiles. Still getting the fake DNS IP in my Citrix Virtual Network Adapter on Clientside. 

NetScaler Citrix Gateway Global DNS Servers (Infoblox):


Clientside Virtual Adapter:


That's exactly the problem why SecureDNS with Kerberos isn't working, as the request goes via and Kerberos is only working when going directly to Infoblox (eg Why isn't it possible to insert two real DNS servers via NetScaler Config?! Any help is greatly appreciated, I don't understand why such a simple thing has to be as this complicated.

Link to comment
Share on other sites

  • 4 weeks later...

Julian, I still do not have an answer and I agree. Why is this so damn complicated? I am working on building a content VS that uses a policy that separates the SOA request for the domain in question. That is refused from the server because we cannot parse out the TKEY request which  is required for the SOA request...... 

Link to comment
Share on other sites

  • 3 weeks later...

Lance, I was able to solve the issue. We used DNS-LB and tracked the requests and the matching answer vom Infoblox. Requested was DNS01 and the answer came from DNS02.


What I did is to give the clients in Citrix VPN a DNS-LB which is only bound to a Service Group with DNS01 and configured another one with DNS02, used as Protection Backup Server.


So all requests will always go to DNS01 - and the matching answer is also coming from DNS01, so DDNS is working fine. If DNS01 (and the LB) will go down, NetScaler will switch automatically to my Backup-LB with DNS02.




Hope this helps

Best Regards


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...