We operate in a two-address model for our production ipv6 network -- we have an internal site-to-site vpn-connected ULA range in fd00::/8, we also have IPv6 external addressing in 2001::/16. We route-advertise both address prefixes to our clients.
My problem is thus. We don't want to necessarily add the external addresses into DNS, which would imply that internal traffic would skirt out the internet instead of routing over our encrypted VPN's. To that end, I'm trying to find a way to configure the machines (hopefully via group policy) in such a way to avoid the 2001::/16 address being published in DNS for the machines.
I tried setting the two route advertisements such that the 2001::/16 address has no preferred lifetime, but does have a valid lifetime. This achieved what I want with DNS (it didn't register that address), but Windows won't use that address now as it considers it deprecated.
So I'm looking for either:
- A way to configure DNS auto-registration, via GPO, where I can tell the auto-register to not register certain addresses, or
- A way to cause windows to utilize a deprecated address that still has a valid lifetime, also pushable via GPO.
Any suggestions?
Could you separate the addressing onto different NICs on each computer? AFAIK Windows only allows you to disable DNS registration per NIC - not per IP.
Failing that, you could do periodic cleansing on the DNS server, running a script every few minutes (or as necessary), deleting any records that match the public addressing scheme.
Again failing that, as @RichVel said... why the separate addressing scheme in the first place? Surely if subnetted correctly you could easily have only the public addressing scheme in place and any edge routers forcing internal machines to go via the VPN for connectivity matching the other site? The edge (before the internet) is surely under your control, so make the routing work for you.