Updating Dynamic DNS from a DHCP Server

Traditionally, hostnames and IP addresses have been associated through the use of DNS, requiring static configurations. While this might be practical for servers, which rarely change their hostnames or addresses, it does not lend itself to timely updates for clients that frequently change IP addresses.

Dynamic DNS (DDNS) solves this problem by keeping the DNS function, but allowing records to be updated dynamically, as they change. DDNS is most useful when it is teamed with a DHCP server; as the DHCP server hands out IP addresses to clients, it can send a DDNS update immediately. This allows mobile or transient clients to keep a stable hostname and to always be found through a DNS lookup.

On the ASA platform, the DDNS database can be updated from the following sources:

• The ASA DHCP server, as it provides IP addresses to PC clients

• The ASA DHCP client, as it requests an address from an ISP

• PC clients, as they send a DHCP request; the ASA can relay the DNS information provided by the clients

On the ASA, DDNS uses the IETF standard method defined in RFC 2136. Through DDNS, the following DNS resource records can be updated for a host:

• A resource record— Contains the hostname-to-address mapping (for example, www.cisco.com resolves to 198.133.219.25)

• PTR resource record— Contains the address-to-hostname mapping (for example, 219.133.198.in-addr.arpa resolves to www.cisco.com)

To use DDNS, you must configure either a DHCP client, a DHCP server, or both on the ASA. The DHCP mechanism is always used to send updates to a DNS server that is DDNS-capable. You can use the following steps to configure DDNS support:

1. Identify DNS servers that support DDNS:

asa(config)# dns server-group DefaultDNS

asa(config-dns-server-group)# dns name-server ip address

[ip address2]...[ip address6] asa(config-dns-server-group)# exit

You can enter up to six IP addresses of DDNS servers where the ASA can send dynamic updates.

2. Enable DNS use on an interface:

asa(config)# dns domain-lookup if name

Identify the ASA interface that is closest to the DNS servers. The ASA sends DDNS updates on that interface.

3. Define an update method:

asa(config)# ddns update method method name

The DDNS update method policy is known by the arbitrary method_name string.

4. Specify the update method:

asa(DDNS-update-method)# ddns [both]

By default, the ASA attempts to update only the A resource record. You can add the both keyword to make it update both the A and PTR resource records.

5. (Optional) Set the maximum update period:

asa(DDNS-update-method)# interval maximum days hours minutes seconds

By default, the ASA sends DDNS updates only as they occur, based on the activity of DHCP clients. You can also set a maximum update interval, so that the ASA does not wait more than a defined time before sending another update. The interval is defined as days (0 to 364), hours (0 to 23), minutes (0 to 59), and seconds (0 to 59) and should be chosen to match the requirements of the DDNS servers.

6. (Optional) Send DDNS updates from the ASA DHCP client:

asa(config)# interface if name asa(config-if)# ddns update method name asa(config-if)# ddns update hostname hostname asa(config-if)# ip address dhcp [setroute]

The DDNS method named method_name (configured in Step 3) is used on the specified ASA interface. When the ASA DHCP client sends a DDNS update, it needs to know its own hostname. You can specify the hostname as hostname, as either a fully qualified domain name (FQDN) or as a hostname that is prepended to the ASA's domain name (configured with the domain-name command).

Finally, the ip address dhcp command starts the DHCP client and requests an IP address for the interface. As soon as an address is obtained, the DHCP client attempts to send its DDNS update to bind the IP address to the hostname.

You can also specify the DDNS policy for the ASA DHCP client with the following interface configuration command:

asa(config-if)# dhcp client update dns [server {both | none}]

By default, the ASA DHCP client does not update its DNS record on its own. Issuing this command enables the client to send DDNS updates through the ASA DHCP server, toward the DNS. The client instructs the server to send only PTR updates, unless the server keyword is added, along with either the both (send both A and PTR updates) or none (send no DDNS updates) keyword.

This command can also be given as a global configuration command, to provide a global policy for all interfaces. You can enter a global and an interface version of the same command; the interface command always overrides the global settings. Be aware that the global version of this command uses a hyphen (dhcp-client), while the interface version does not (dhcp client).

7. (Optional) Send DDNS updates from the ASA DHCP server:

A DHCP server can be configured on an ASA, usually facing the inside or secure side where client PCs are located. The ASA can send DDNS updates based on the requests made from the clients to the DHCP server. You can configure the ASA DHCP server to send DDNS updates with the following global configuration command:

asa(config)# dhcpd update dns [both] [override] [interface if name]

As soon as this command is given, the ASA DHCP server sends updates for PTR resource records only. You can add the both keyword to send both A and PTR records. If you add the override keyword, the ASA DHCP server overrides the information contained in all DHCP client requests—including the ASA DHCP client configuration. For example, a DHCP client might try to send a PTR record, but the DHCP server can override that by sending both A and PTR records.

If you want to enable DDNS on only a single ASA interface, you can add the interface keyword. Otherwise, the ASA generates DDNS updates on any interface that has a DHCP server configured.

The ASA DHCP server generates DDNS updates on any interface that has a DHCP server configured. The ASA attempts a reverse DNS lookup on the DHCP client's IP address, to find the authoritative DNS for the client's domain. The Start of Authority (SOA) entry is requested for the client's IP address. If the DNS does not already have the client's domain configured, along with the SOA information, the ASA cannot register DDNS updates successfully.

In the case of private or RFC 1918 addresses inside the firewall boundary, the DNS does not return a valid SOA for the private subnet unless the DDNS-capable machines in your network are already preconfigured with definitions for your local subnets, along with a correct SOA entry.

Verifying DDNS Operation

Because you can configure both DHCP client and DHCP server on a single ASA, you might become confused about what is actually configured and running on which interfaces. You can use the show dhcpd state command to see where the client and server functions exist, as in the following example.

Firewall# show dhcpd state Context Configured as DHCP Server Interface outside, Configured for DHCP CLIENT Interface inside, Configured for DHCP SERVER Interface dmz, Not Configured for DHCP Interface management, Not Configured for DHCP Firewall#

You can use the show ddns update method to see the configured method and the show ddns update interface command to see the DDNS method that is applied to each ASA interface. Finally, you can view debugging output by entering the debug ddns command.

As an example, suppose an ASA is to be configured to provide DDNS updates to a DNS server. The ASA should have a policy to allow updates to both the A and PTR resource records, using the update method called myddns. On the outside interface, the ASA uses its DHCP client to obtain an address. The DHCP client also is allowed to send DDNS updates with its hostname (asa.mycompany.com) and its newly obtained IP address.

On the inside interface, the ASA should be configured to run a DHCP server for inside clients. As inside clients send DHCP requests, their hostname and assigned IP addresses are sent on as DDNS updates. The following commands could be used to accomplish these example requirements.

Code View: Scroll

Firewall(config Firewall(config Firewall(config Firewall(config !

Firewall(config Firewall(config Firewall(config Firewall(config Firewall(config Firewall(config

Firewall Firewall Firewall Firewall Firewall

Firewall !

Firewall Firewall Firewall Firewall Firewall Firewall Firewall

Firewall !

Firewall Firewall

/ Show All

)# hostname asa )# domain-name mycompany.com )# ddns update method myddns )# ddns both

)# interface Ethernet0/0 -if)# nameif outside -if)# security-level 0

-if)# ddns update hostname asa.mycompany.com -if)# ddns update myddns -if)# ip address dhcp setroute config-if)# interface Ethernet0/1 config-if)# nameif inside config-if)# security-level 100 config-if)# dhcp client update dns config-if)# ip address 192.168.100.1 255.255.255.0 config-if)# exit config)# dns domain-lookup outside config)# dns server-group DefaultDNS config-dns-server-group)# name-server 128.163.111.7 config-dns-server-group)# domain-name mycompany.com config-dns-server-group)# exit config)# dhcp-client update dns config)# dhcpd dns 128.163.97.5 128.163.3.10 config)# dhcpd update dns both config)# dhcpd address 192.168.100.10-192.168.100.254 inside config)# dhcpd enable inside

Was this article helpful?

+1 0

Post a comment