Jump to content
Welcome to our new Citrix community!

SSL VPN DNS issues/questions


Jens Ostkamp

Recommended Posts

Dear community,

 

I am having some issues/questions about DNS configuration regarding SSL VPN. 

Right now we are using a SplitTunnel configuration with intranet IPs (intranet IPs 192.168.251.0/24). In general the normal VPN functionality is fine and working, but especially regarding DNS updates, there were some issues lately:

First question is - if I do a ipconfig /all on a VPN connected client, I see a "Citrix Virtual Adapter" with DNS server: 192.0.0.1 (this is not the DNS server configured neither in session profile nor NetScaler configuration). DNS in general works (see more further down the post), but I don't understand why it is showing me that weird of an IP address. The "real" DNS server is in another network (172.20.91.x) and VPN (and firewall) configuration is routing traffic for that network correctly. 

 

Second question/the issue:

DNS updates are not working properly. If we update an existing DNS record, the vpn connected client will not recognize it. NEW A-Records are working fine, but as soon as I update an existing A-Record with a new IP,  the client never gets it. I have tested everything with setting low TTL, clearing NetScaler DNS cache, clearing client DNS cache, enforcing ALL DNS requests to be sent over tunnel, nothing seems to work. I am not sure if the two questions/issues are related.

From my understanding, VPN clients should get the same DNS server as configured in NetScaler system settings, if not specified in session profile? Where does that 192.0.0.1 come from?

Full Configuration of that Adapter in attachment screenshot. Please note, Default Gateway is NOT blurred out, it is just empty when outputting it. DNS suffix and and MAC is blurred.

 

I have also already tried to activate two knobs given in some Citrix Support post regarding secure DNS updates (along with registry keys) - no success ?

 

The issue surfaced, because we are currently migrating a couple of servers and therefore updating the corresponding DNS records - these will not get recognized by the VPN clients, which is kind of an issue regarding productivity, and workaronding with a local host file publishing is obviously not that great of a workaround.

 

 

Thanks a lot in advance! ?

 

Best regards
Jens

 

Screenshot 2023-11-22 161240.png

Link to comment
Share on other sites

  • 1 month later...

192.0.0.0/24 is a network reserved by IETF. It doesn't exist on the internet but is not widely used in enterprise networks. So it can be used similarly to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/26, or 169.254.0.0/16. Citrix is using this network to avoid IP address conflicts with resources existing either in the client-side or in the datacentre-side network.

 

The client device sends DNS requests to the 192.0.0.1 DNS server, and the gateway intercepts and resolves the name on the behave of the client device, proxying the request to whichever DNS server you configured. This might sound stupid, but that's how it works.

 

The problem with updated DNS records seems to be a problem with caching on the NetScaler device. I never came across this issue (as DNS entries usually are rather static). Failing over from active to passive node would solve the issue, if I am right about this.

Link to comment
Share on other sites

  • 4 weeks later...
On 12/28/2023 at 1:34 PM, Johannes Norz said:

192.0.0.0/24 is a network reserved by IETF. It doesn't exist on the internet but is not widely used in enterprise networks. So it can be used similarly to 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/26, or 169.254.0.0/16. Citrix is using this network to avoid IP address conflicts with resources existing either in the client-side or in the datacentre-side network.

 

The client device sends DNS requests to the 192.0.0.1 DNS server, and the gateway intercepts and resolves the name on the behave of the client device, proxying the request to whichever DNS server you configured. This might sound stupid, but that's how it works.

 

The problem with updated DNS records seems to be a problem with caching on the NetScaler device. I never came across this issue (as DNS entries usually are rather static). Failing over from active to passive node would solve the issue, if I am right about this.

Hey, thanks for your response, just saw the answer now ? What you described is/was exactly our issue. As we don't have HA, we cannot do failover to update DNS as a workaround, but we disabled DNS caching on NetScaler and that seemed to do the trick. After disabling DNS caching, DNS updates did work (conbfigured DNS param -cachehitBypass).

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...