Thursday, December 31, 2020

Forticlient clutter in Infoblox

We've got a situation where we use Infoblox for DHCP/DNS, but because our Forticlient is used for SSLVPN, the Fortigates themselves have to do the DHCP (there's no DHCP relay on SSLVPN, only IPSec, for some reason). Therefore, we need the Fortigate to update Infoblox with A records for hosts connected (because Security said so).

And it even works fine, as far as it goes - not only does it create the A record for the VPN tunnel IP, but it also creates one for that hostname for EVERY IP on the remote computer. And they never ever go away unless we manually delete it.

So what I'm looking for is a way to either:

  1. Stop the Fortigate from creating the mess in the first place

  2. Stop Infoblox from setting them as if the lease is long-term when it's not

  3. Or, barring anything else, automatically clean up the mess in Infoblox, but restrict said cleanup to just the IP blocks used for the Forticlient VPNs (and things like 192.168.1.0/24, which is an absolute mess and we don't use anyhow).

Digging around on this, I found two possibilities; one is DHCP Option 81. Infoblox has two settings, and I'm not clear what they do - DHCP Server always updates DNS, and DHCP Server updates DNS if requested by client. I think it's sort of what I'm looking for, meaning the second one says "Don't expect a departing DNS update from the DHCP Server" but I'm not certain, and the one "explanation" I found was way too opaque for me to figure out on New Year's Eve.

The other thing is DNS scavenging, but because Infoblox approaches nearly everything with the hostname as the basis, rather than the IP, I can't find whether or not I can restrict scavenging to specific IP ranges. Has anyone ever done that and if so, is it as trivial as adding any other condition, or do you have to jump through hoops?



No comments:

Post a Comment