Since most of our users are on VPN now, our DNS servers are registering both their local home network's local LAN addresses (usually 192.168 addresses, of course), which we definitely don't want in our DNS, and the Palo Alto globalprotect VPN addresses, which is what we do want.
I don't want to set a GPO that would unset the "register this connection in DNS" entry on their WiFi and LAN NICs, since I know that some of them do occasionally come into the building, use the wifi, and don't need the VPN.
I figure we have a hacky option of a frequently-running script on one of the DNS servers, which checks for RFC 1918 addresses in DNS and then deletes them, but it would be much more elegant if there was a setting in MS DNS server I could put in that would deny registrations that contained addresses, ranges, or subnets we didn't want.
Does anyone know if this is possible? Our two DNS servers are Server 2016 and 2012. I found DNS policies are a 'new' thing for server 2016, which I hadn't heard about, but that seems to be more for queries, not registration.
Does anyone have any suggestions?
Thread source link: https://social.technet.microsoft.com/Forums/zh-CN/1489e63d-722a-45d7-b4aa-48b6dbeb7b8b/does-ms-dns-server-allow-setting-up-automatic-denial-of-registration-to-certain-ips-ranges-or?forum=winserveripamdhcpdns