Configure Dynamic DNS

When an interface uses DHCP IP addressing, the assigned IP address can change when the DHCP lease is renewed. When the interface needs to be reachable using a fully qualified domain name (FQDN), the IP address change can cause the DNS server resource records (RRs) to become stale. Dynamic DNS (DDNS) provides a mechanism to update DNS RRs whenever the IP address or hostname changes. You can also use DDNS for static or PPPoE IP addressing.

DDNS updates the following RRs on the DNS server: the A RR includes the name-to-IP address mapping, while the PTR RR maps addresses to names.

The threat defense supports the following DDNS update methods:

  • Standard DDNS—The standard DDNS update method is defined by RFC 2136.

    With this method, the threat defense and the DHCP server use DNS requests to update the DNS RRs. The threat defense or DHCP server sends a DNS request to its local DNS server for information about the hostname and, based on the response, determines the main DNS server that owns the RRs. The threat defense or DHCP server then sends an update request directly to the main DNS server. See the following typical scenarios.

    • The threat defense updates the A RR, and the DHCP server updates the PTR RR.

      Typically, the threat defense "owns" the A RR, while the DHCP server "owns" the PTR RR, so both entities need to request updates separately. When the IP address or hostname changes, the threat defense sends a DHCP request (including the FQDN option) to the DHCP server to inform it that it needs to request a PTR RR update.

    • The DHCP server updates both the A and PTR RR.

      Use this scenario if the threat defense does not have the authority to update the A RR. When the IP address or hostname changes, the threat defense sends a DHCP request (including the FQDN option) to the DHCP server to inform it that it needs to request an A and PTR RR update.

    You can configure different ownership depending on your security needs and the requirements of the main DNS server. For example, for a static address, the threat defense should own the updates for both records.

  • Web—The Web update method uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).

    With this method when the IP address or hostname changes, the threat defense sends an HTTP request directly to a DNS provider with which you have an account.

The DDNS page also supports setting DHCP server settings relating to DDNS.

Note

DDNS is not supported on the BVI or bridge group member interfaces.

Before you begin

  • Configure a DNS server group on Objects > Object Management > DNS Server Group, and then enable the group for the interface on Devices > Platform Settings > DNS. See DNS.

  • Configure the device hostname. You can configure the hostname when you perform the threat defense initial setup, or by using the configure network hostname command. If you do not specify the hostname per interface, then the device hostname is used.

Procedure

Step 1

Choose Devices > Device Management, and edit the threat defense device.

Step 2

Choose DHCP > DDNS.

Step 3

Standard DDNS method: Configure a DDNS update method to enable DNS requests from the threat defense.

You do not need to configure a DDNS update method if the DHCP server will perform all requests.

  1. On DDNS Update Methods, click Add.

  2. Set the Method Name.

  3. Click DDNS.

  4. (Optional) Configure the Update Interval between DNS requests. By default when all values are set to 0, update requests are sent whenever the IP address or hostname changes. To send requests regularly, set the Days (0-364), Hours, Minutes, and Seconds.

  5. Set the Update Records you want the threat defense to update.

    This setting only affects the records you want to update directly from the threat defense; to determine the records you want the DHCP server to update, configure the DHCP client settings per interface or globally. See, Step 5.

    • Not Defined—Disables DNS updates from the threat defense.

    • Both A and PTR Records—Sets the threat defense to update both A and PTR RRs. Use this option for static or PPPoE IP addressing.

    • A Records—Sets the threat defense to update the A RR only. Use this option if you want the DHCP server to update the PTR RR.

  6. Click OK.

  7. Assign this method to the interface in Step 5.

Step 4

Web method: Configure a DDNS update method to enable HTTP update requests from the threat defense.

  1. On DDNS Update Methods, click Add.

  2. Set the Method Name.

  3. Click Web.

  4. Set the Web Update Type to update IPv4, IPv6, or both types of addresses.

  5. Set the Web URL. Specify the update URL. Check with your DNS provider for the URL required.

    Use the following syntax:

    https://username:password@provider-domain/path?hostname=<h>&myip=<a>

    Example:

    https://jcrichton:pa$$w0rd17@domains.example.com/nic/update?hostname=<h>&myip=<a>

  6. (Optional) Configure the Update Interval between DNS requests. By default when all values are set to 0, update requests are sent whenever the IP address or hostname changes. To send requests regularly, set the Days (0-364), Hours, Minutes, and Seconds.

  7. Click OK.

  8. Assign this method to the interface in Step 5.

  9. The web type method for DDNS also requires you to identify the DDNS server root CA to validate the DDNS server certificate for the HTTPS connection. See, Step 9.

Step 5

Configure interface settings for DDNS, including setting the update method, DHCP client settings, and the hostname for this interface.

  1. On DDNS Interface Settings, click Add.

  2. Choose the Interface from the drop-down list.

  3. Choose the Method Name that you created on the DDNS Update Methods page.

    (Standard DDNS method) You do not need to assign a method if you want the DHCP server to perform all updates.

  4. Set the Host Name for this interface.

    If you do not set the hostname, the device hostname is used. If you do not specify an FQDN, then the default domain from the DNS server group is appended (for static or PPPoE IP addressing) or the domain name from the DHCP server is appended (for DHCP IP addressing).

  5. Standard DDNS method: Configure the DHCP Client requests DHCP server to update requests to determine which records you want the DHCP server to update.

    The threat defense sends DHCP client requests to the DHCP server. Note that the DHCP server must also be configured to support DDNS. The server can be configured to honor the client requests, or it can override the client (in which case, it will reply to the client so the client does not also try to perform updates that the server is performing).

    For static or PPPoE IP addressing, these settings are ignored.

    Note

    You can also set these values globally for all interfaces on the DDNS page. The per-interface settings take precedence over the global settings.

    • Not Selected—Disables DDNS requests to the DHCP server. Even if the client does not request DDNS updates, the DHCP server can be configured to send updates anyway.

    • No Update—Requests the DHCP server not to perform updates. This setting works in conjunction with a DDNS update method with Both A and PTR Records enabled.

    • Only PTR—Requests that the DHCP server perform the PTR RR update. This setting works in conjunction with a DDNS update method with A Records enabled.

    • Both A and PTR Records—Requests that the DHCP server perform both A and PTR RR updates. This setting does not require a DDNS update method to be associated with the interface.

  6. Click OK.

Note

The Dynamic DNS Update settings relate to DHCP server settings when you enable a DHCP server on the threat defense. See, Step 6 for more information.

Step 6

If you enable the DHCP server on an threat defense, you can configure DHCP server settings for DDNS.

To enable the DHCP server, see Configure the DHCPv4 Server). You can configure the server behavior when DHCP clients use the standard DDNS update method. If the server performs any updates, then if the client lease expires (and is not renewed), the server will request that the DNS server remove the RRs for which it was responsible.

  1. You can configure server settings globally or per interface. For global settings, see the main DDNS page. For per-interface settings, see the DDNS Interface Settings page. Interface settings take precedence over global settings.

  2. Configure which DNS RRs you want the DHCP server to update under Dynamic DNS Update.

    • Not Selected—DDNS updates are disabled, even if the client requests them.

    • Only PTR—Enables DDNS updates. If you enable the Override DHCP Client Requests setting, then the server will only update the PTR RR. Otherwise, the server will update RRs that the client requests. If the client does not send an update request with the FQDN option, the server will request an update for both A and PTR RRs using the hostname discovered in DHCP option 12.

    • Both A and PTR Records—Enables DDNS updates. If you enable the Override DHCP Client Requests setting, then the server will update both the A and PTR RRs. Otherwise, the server will update RRs that the client requests. If the client does not send an update request with the FQDN option, the server will request an update for both A and PTR RRs using the hostname discovered in DHCP option 12.

  3. To override the update actions requested by the DHCP client, check Override DHCP Client Requests.

    The server will reply to the client that the request was overridden, so the client does not also try to perform updates that the server is performing.

Step 7

(Optional) Configure general DHCP client settings. These settings are not related to DDNS, but are related to how the DHCP client behaves.

  1. On the DDNS page, check Enable DHCP Client Broadcast to request that the DHCP server broadcast the DHCP reply (DHCP option 1).

  2. To force a MAC address to be stored inside a DHCP request packet for option 61 instead of the default internally generated string, on DDNS > DHCP Client ID Interface, choose the interface from the Available Interfaces list, and then click Add to move it to the Selected Interfaces list.

    Some ISPs expect option 61 to be the interface MAC address. If the MAC address is not included in the DHCP request packet, then an IP address will not be assigned. This setting does not directly relate to DDNS, but is a general DHCP client setting.

Step 8

Click Save on the Device page to save your changes.

Step 9

The Web method for DDNS also requires you to identify the DDNS server root CA to validate the DDNS server certificate for the HTTPS connection.

The following example shows how to add a DDNS server's CA as a trustpoint.

  1. Obtain the DDNS server CA certificate. This procedure shows a manual import using PEM format, but you can also use PKCS12.

  2. In management center, choose Devices > Certificates, and click Add.

  3. Select a Device, and click Add (add icon).

    The Add Cert Enrollment dialog box appears.

  4. Enter the following fields, and click Save:

    • Enter a Name.

    • Choose Enrollment Type > Manual.

    • Click CA Only.

    • Paste in the CA text from step 9.a.

  5. Click Save.