Worldwide Locations
When the hostname.domainname associated with my Small Office Home Office (SOHO) failed to update after a power outage, and a new DHCP-assigned external address was assigned to my router, I was reminded of the need for Dynamic DNS. This article will explore the implementation of the dynamic domain name server system on both the Cisco IOS® router and the ASA Security Appliance.
One objective of any small business owner operating out of their home is minimizing operating costs. The price/performance ratio is much more attractive for a typical residential customer than for a business customer when it comes to Internet service; however, a static IP address for a residence is seldom, if ever, an option. To overcome this, a free service like dyndns.org -- which gives their client the option of picking any desired hostname, along with a select group of domain names -- can provide a very effective solution to the need to have consistent VPN availability regardless of the frequency of dynamic IP address renewal.
Two markedly different approaches to supporting dynamic DNS are taken by the Cisco IOS router and the ASA. The router is capable of implementing the more generic, commonplace (and less secure!) HTTP POST method, as well as the IETF method defined in RFC 2136. The ASA, however, only implements the IETF method. The router commands which define the method are shown below:
Router(config)# ip ddns update method method-name
Router(DDNS-update-method)# {http | ddns}
I omitted both the update interval as well as the HTTP URL from the syntax. A sample configuration is available from DynDNS. For the ASA, dynamic DNS configuration can be done using ASDM via the screen shown below:
Once a method name is defined, it must be applied to an appropriate interface using the Add button in the bottom window pane. Note that both regular address (A) as well as reverse DNS (PTR) records can be updated.
With its sole reliance on the IETF method, websites such as DynDns.org cannot be updated using the ASA, however support has been added for HTTPS using port 443. A subsequent RFC2137 gives a more secure implementation of dynamic DNS updates. With DNS security concerns brought to the forefront by cache poisoning concerns, some vendors are now looking at implementing dynamic DNS with the requirement for Transaction Signatures (TSIGs).
Related Courses: