DHCP and DDNS Services for Threat Defense

The following topics explain DHCP and DDNS services and how to configure them on Threat Defense devices.

About DHCP and DDNS Services

The following topics describe the DHCP server, DHCP relay agent, and DDNS update.

About the DHCPv4 Server

DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The FTD device can provide a DHCP server to DHCP clients attached to FTD device interfaces. The DHCP server provides network configuration parameters directly to DHCP clients.

An IPv4 DHCP client uses a broadcast rather than a multicast address to reach the server. The DHCP client listens for messages on UDP port 68; the DHCP server listens for messages on UDP port 67.

The DHCP server for IPv6 is not supported; you can, however, enable DHCP relay for IPv6 traffic.

DHCP Options

DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. The configuration parameters are carried in tagged items that are stored in the Options field of the DHCP message and the data are also called options. Vendor information is also stored in Options, and all of the vendor information extensions can be used as DHCP options.

For example, Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information.

  • DHCP option 150 provides the IP addresses of a list of TFTP servers.

  • DHCP option 66 gives the IP address or the hostname of a single TFTP server.

  • DHCP option 3 sets the default route.

A single request might include both options 150 and 66. In this case, the ASA DHCP server provides values for both options in the response if they are already configured on the ASA.

You can use advanced DHCP options to provide DNS, WINS, and domain name parameters to DHCP clients; DHCP option 15 is used for the DNS domain suffix. You can also use the DHCP automatic configuration setting to obtain these values or define them manually. When you use more than one method to define this information, it is passed to DHCP clients in the following sequence:

  1. Manually configured settings.

  2. Advanced DHCP options settings.

  3. DHCP automatic configuration settings.

For example, you can manually define the domain name that you want the DHCP clients to receive and then enable DHCP automatic configuration. Although DHCP automatic configuration discovers the domain together with the DNS and WINS servers, the manually defined domain name is passed to DHCP clients with the discovered DNS and WINS server names, because the domain name discovered by the DHCP automatic configuration process is superseded by the manually defined domain name.

About the DHCP Relay Agent

You can configure a DHCP relay agent to forward DHCP requests received on an interface to one or more DHCP servers. DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages because they do not have information about the network to which they are attached. If the client is on a network segment that does not include a server, UDP broadcasts normally are not forwarded by the FTD device because it does not forward broadcast traffic. The DHCP relay agent lets you configure the interface of the FTD device that is receiving the broadcasts to forward DHCP requests to a DHCP server on another interface.

Requirements and Prerequisites for DHCP and DDNS

Model Support

FTD

User Roles

  • Admin

  • Access Admin

  • Network Admin

Guidelines for DHCP and DDNS Services

This section includes guidelines and limitations that you should check before configuring DHCP and DDNS services.

Firewall Mode

  • DHCP Relay is not supported in transparent firewall mode or in routed mode on the BVI or bridge group member interface.

  • DHCP Server is supported in transparent firewall mode on a bridge group member interface. In routed mode, the DHCP server is supported on the BVI interface, not the bridge group member interface. The BVI must have a name for the DHCP server to operate.

  • DDNS is not supported in transparent firewall mode or in routed mode on the BVI or bridge group member interface.

IPv6

Does not support IPv6 for DHCP server; IPv6 for DHCP relay is supported.

DHCPv4 Server

  • The maximum available DHCP pool is 256 addresses.

  • You can configure a DHCP server on any interface with a name and IP address, such as a physical interface, a subinterface, or a BVI in routed mode.

  • You can configure only one DHCP server on each interface. Each interface can have its own pool of addresses to use. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces.

  • You cannot configure an interface as a DHCP client if that interface also has DHCP server enabled; you must use a static IP address.

  • You cannot configure both a DHCP server and DHCP relay on the same device, even if you want to enable them on different interfaces; you can only configure one type of service.

  • The FTD does not support QIP DHCP servers for use with the DHCP proxy service.

  • The DHCP server does not support BOOTP requests.

DHCP Relay

  • You can configure a maximum of 10 DHCPv4 relay servers per virtual router, global (VRF) and interface-specific servers combined, with a maximum of 4 servers per interface.

  • You can configure a maximum of 10 DHCPv6 relay servers per virtual router. Interface-specific servers for IPv6 are not supported.

  • You cannot configure both a DHCP server and DHCP relay on the same device, even if you want to enable them on different interfaces; you can only configure one type of service.

  • DHCP relay services are not available in transparent firewall mode or in routed mode on the BVI or bridge group member interface. You can, however, allow DHCP traffic through using an access rule. To allow DHCP requests and replies through the FTD, you need to configure two access rules, one that allows DCHP requests from the inside interface to the outside (UDP destination port 67), and one that allows the replies from the server in the other direction (UDP destination port 68).

  • For IPv4, clients must be directly-connected to the FTD and cannot send requests through another relay agent or a router. For IPv6, the FTD supports packets from another relay server.

  • The DHCP clients must be on different interfaces from the DHCP servers to which the FTD relays requests.

  • You cannot enable DHCP Relay on an interface in a traffic zone.

DDNS Service

The firewall's DDNS supports only DynDNS service. Hence, ensure that the DDNS is configured with update URL in the following syntax:

https://username:password@provider-domain/path?hostname=<h>&myip=<a> .

Configure the DHCP Server

See the following steps to configure a DHCP server.

Procedure


Step 1

Choose Devices > Device Management, and edit the Firepower Threat Defense device.

Step 2

Select DHCP > DHCP Server.

Step 3

Configure the following DHCP server options:

  • Ping Timeout—The amount of time in milliseconds that Firepower Threat Defense device waits to time out a DHCP ping attempt. Valid values range from 10 to 10000 milliseconds. The default value is 50 milliseconds.

    To avoid address conflicts, the Firepower Threat Defense device sends two ICMP ping packets to an address before assigning that address to a DHCP client.

  • Lease Length—The amount of time in seconds that the client may use its allocated IP address before the lease expires. Valid values range from 300 to 1048575 seconds. The default value is 3600 seconds (1 hour).

  • (Routed mode) Auto-configuration—Enables DHCP auto configuration on the Firepower Threat Defense device. Auto-configuration enables the DHCP server to provide the DHCP clients with the DNS server, domain name, and WINS server information obtained from a DHCP client running on the specified interface. Otherwise, you can disable auto configuration and add the values yourself in Step 4.

  • (Routed mode) Interface—Specifies the interface to be used for auto configuration. For a device with virtual routing capability, this interface can only be a global virtual router interface.

Step 4

To override auto-configured settings, do the following:

  • Enter the domain name of the interface. For example, your device may be in the Your_Company domain.

  • From the drop-down list, choose the DNS servers (primary and secondary) configured for the interface. To add a new DNS server, see Creating Network Objects.

  • From the drop-down list, choose the WINS servers (primary and secondary) configured for the interface. To add a new WINS server, see Creating Network Objects.

Step 5

Select Server, click Add, and configure the following options:

  • Interface—Choose the interface from the drop-down list. In transparent mode, specify a named bridge group member interface. In routed mode, specify a named routed interface or a named BVI; do not specify the bridge group member interface. Note that each bridge group member interface for the BVI must also be named for the DHCP server to operate.

  • Address Pool—The range of IP addresses from lowest to highest that is used by the DHCP server. The range of IP addresses must be on the same subnet as the selected interface and cannot include the IP address of the interface itself.

  • Enable DHCP Server—Enables the DHCP server on the selected interface.

Step 6

Click OK to save the DHCP server configuration.

Step 7

(Optional) Select Advanced, click Add, and specify the type of information you want the option to return to the DHCP client:

  • Option Code—The Firepower Threat Defense device supports the DHCP options listed in RFC 2132, RFC 2562, and RFC 5510 to send information. All DHCP options (1 through 255) are supported except for 1, 12, 50–54, 58–59, 61, 67, and 82. See About the DHCPv4 Serverfor more information on DHCP option codes.

    Note

     

    The Firepower Threat Defense device does not verify that the option type and value that you provide match the expected type and value for the option code, as defined in RFC 2132. For more information about option codes and their associated types and expected values, see RFC 2132.

  • Type—DHCP option type. Available options include IP, ASCII, and HEX. If you chose IP, you must add IP addresses in the IP Address fields. If you chose ASCII, you must add the ASCII value in the ASCII field. If you chose HEX, you must add the HEX value in the HEX field.

  • IP Address 1 and IP Address 2—The IP address(es) to be returned with this option code. To add a new IP address, see Creating Network Objects.

  • ASCII—The ASCII value that is returned to the DHCP client. The string cannot include spaces.

  • HEX—The HEX value that is returned to the DHCP client. The string must have an even number of digits and no spaces. You do not need to use a 0x prefix.

Step 8

Click OK to save the option code configuration.

Step 9

Click Save on the DHCP page to save your changes.


Configure the DHCP Relay Agent

You can configure a DHCP relay agent to forward DHCP requests received on an interface to one or more DHCP servers. DHCP clients use UDP broadcasts to send their initial DHCPDISCOVER messages because they do not have information about the network to which they are attached. If the client is on a network segment that does not include a server, UDP broadcasts normally are not forwarded by the Firepower Threat Defense device because it does not forward broadcast traffic.

You can remedy this situation by configuring the interface of the Firepower Threat Defense device that is receiving the broadcasts to forward DHCP requests to a DHCP server on another interface.


Note


DHCP Relay is not supported in transparent firewall mode.


Procedure


Step 1

Choose Devices > Device Management, and edit the Firepower Threat Defense device.

Step 2

Select DHCP > DHCP Relay.

Step 3

In the Timeout field, enter the amount of time in seconds that the Firepower Threat Defense device waits to time out the DHCP relay agent. Valid values range from 1 to 3600 seconds. The default value is 60 seconds.

The timeout is for address negotiation through the local DHCP Relay agent.

Step 4

On DHCP Relay Agent, click Add, and configure the following options:

  • Interface—The interface connected to the DHCP clients.

  • Enable IPv4 Relay—Enables IPv4 DHCP Relay for this interface.

  • Set Route(For IPv4) Changes the default gateway address in the DHCP message from the server to that of the Firepower Threat Defense device interface that is closest to the DHCP client, which relayed the original DHCP request. This action allows the client to set its default route to point to the Firepower Threat Defense device even if the DHCP server specifies a different router. If there is no default router option in the packet, the Firepower Threat Defense device adds one containing the interface address.

  • Enable IPv6 Relay—Enables IPv6 DHCP Relay for this interface.

Step 5

Click OK to save the DHCP relay agent changes.

Step 6

On DHCP Servers, click Add, and configure the following options:

Add the IPv4 and IPv6 server addresses as separate entries, even if they belong to the same server.

  • Server—The IP address of the DHCP server. Chose an IP address from the drop-down list. To add a new one, see Creating Network Objects

  • Interface—The interface to which the specified DHCP server is attached. The DHCP Relay agent and the DHCP server cannot be configured on the same interface.

Step 7

Click OK to save the DHCP server changes.

Step 8

Click Save on the DHCP page to save your changes.


Configure Dynamic DNS

When an interface uses DHCP IP addressing, the assigned IP address can change when the DHCP lease is renewed. When the interface needs to be reachable using a fully qualified domain name (FQDN), the IP address change can cause the DNS server resource records (RRs) to become stale. Dynamic DNS (DDNS) provides a mechanism to update DNS RRs whenever the IP address or hostname changes. You can also use DDNS for static or PPPoE IP addressing.

DDNS updates the following RRs on the DNS server: the A RR includes the name-to-IP address mapping, while the PTR RR maps addresses to names.

The FTD supports the following DDNS update methods:

  • Standard DDNS—The standard DDNS update method is defined by RFC 2136.

    With this method, the FTD and the DHCP server use DNS requests to update the DNS RRs. The FTD or DHCP server sends a DNS request to its local DNS server for information about the hostname and, based on the response, determines the main DNS server that owns the RRs. The FTD or DHCP server then sends an update request directly to the main DNS server. See the following typical scenarios.

    • The FTD updates the A RR, and the DHCP server updates the PTR RR.

      Typically, the FTD "owns" the A RR, while the DHCP server "owns" the PTR RR, so both entities need to request updates separately. When the IP address or hostname changes, the FTD sends a DHCP request (including the FQDN option) to the DHCP server to inform it that it needs to request a PTR RR update.

    • The DHCP server updates both the A and PTR RR.

      Use this scenario if the FTD does not have the authority to update the A RR. When the IP address or hostname changes, the FTD sends a DHCP request (including the FQDN option) to the DHCP server to inform it that it needs to request an A and PTR RR update.

    You can configure different ownership depending on your security needs and the requirements of the main DNS server. For example, for a static address, the FTD should own the updates for both records.

  • Web—The Web update method uses the DynDNS Remote API specification (https://help.dyn.com/remote-access-api/).

    With this method when the IP address or hostname changes, the FTD sends an HTTP request directly to a DNS provider with which you have an account.

The DDNS page also supports setting DHCP server settings relating to DDNS.


Note


DDNS is not supported on the BVI or bridge group member interfaces.


Before you begin

  • Configure a DNS server group on Objects > Object Management > DNS Server Group, and then enable the group for the interface on Devices > Platform Settings > DNS. See Configure DNS.

  • Configure the device hostname. You can configure the hostname when you perform the FTD initial setup, or by using the configure network hostname command. If you do not specify the hostname per interface, then the device hostname is used.

Procedure


Step 1

Choose Devices > Device Management, and edit the Firepower Threat Defense device.

Step 2

Choose DHCP > DDNS.

Step 3

Standard DDNS method: Configure a DDNS update method to enable DNS requests from the FTD.

You do not need to configure a DDNS update method if the DHCP server will perform all requests.

  1. On DDNS Update Methods, click Add.

  2. Set the Method Name.

  3. Click DDNS.

  4. (Optional) Configure the Update Interval between DNS requests. By default when all values are set to 0, update requests are sent whenever the IP address or hostname changes. To send requests regularly, set the Days (0-364), Hours, Minutes, and Seconds.

  5. Set the Update Records you want the FTD to update.

    This setting only affects the records you want to update directly from the FTD; to determine the records you want the DHCP server to update, configure the DHCP client settings per interface or globally. See Step Step 5.

    • Not Defined—Disables DNS updates from the FTD.

    • Both A and PTR Records—Sets the FTD to update both A and PTR RRs. Use this option for static or PPPoE IP addressing.

    • A Records—Sets the FTD to update the A RR only. Use this option if you want the DHCP server to update the PTR RR.

  6. Click OK.

  7. Assign this method to the interface in Step Step 5.

Step 4

Web method: Configure a DDNS update method to enable HTTP update requests from the FTD.

  1. On DDNS Update Methods, click Add.

  2. Set the Method Name.

  3. Click Web.

  4. Set the Web Update Type to update IPv4, IPv6, or both types of addresses.

  5. Set the Web URL. Specify the update URL. Check with your DNS provider for the URL required.

    Use the following syntax:

    https://username:password@provider-domain/path?hostname=<h>&myip=<a>

    Example:

    https://jcrichton:pa$$w0rd17@domains.example.com/nic/update?hostname=<h>&myip=<a>

  6. (Optional) Configure the Update Interval between DNS requests. By default when all values are set to 0, update requests are sent whenever the IP address or hostname changes. To send requests regularly, set the Days (0-364), Hours, Minutes, and Seconds.

  7. Click OK.

  8. Assign this method to the interface in Step Step 5.

  9. The web type method for DDNS also requires you to identify the DDNS server root CA to validate the DDNS server certificate for the HTTPS connection. See step Step 9.

Step 5

Configure interface settings for DDNS, including setting the update method, DHCP client settings, and the hostname for this interface.

  1. On DDNS Interface Settings, click Add.

  2. Choose the Interface from the drop-down list.

  3. Choose the Method Name that you created on the DDNS Update Methods page.

    (Standard DDNS method) You do not need to assign a method if you want the DHCP server to perform all updates.

  4. Set the Host Name for this interface.

    If you do not set the hostname, the device hostname is used. If you do not specify an FQDN, then the default domain from the DNS server group is appended (for static or PPPoE IP addressing) or the domain name from the DHCP server is appended (for DHCP IP addressing).

  5. Standard DDNS method: Configure the DHCP Client requests DHCP server to update requests to determine which records you want the DHCP server to update.

    The FTD sends DHCP client requests to the DHCP server. Note that the DHCP server must also be configured to support DDNS. The server can be configured to honor the client requests, or it can override the client (in which case, it will reply to the client so the client does not also try to perform updates that the server is performing).

    For static or PPPoE IP addressing, these settings are ignored.

    Note

     

    You can also set these values globally for all interfaces on the DDNS page. The per-interface settings take precedence over the global settings.

    • Not Selected—Disables DDNS requests to the DHCP server. Even if the client does not request DDNS updates, the DHCP server can be configured to send updates anyway.

    • No Update—Requests the DHCP server not to perform updates. This setting works in conjunction with a DDNS update method with Both A and PTR Records enabled.

    • Only PTR—Requests that the DHCP server perform the PTR RR update. This setting works in conjunction with a DDNS update method with A Records enabled.

    • Both A and PTR Records—Requests that the DHCP server perform both A and PTR RR updates. This setting does not require a DDNS update method to be associated with the interface.

  6. Click OK.

Note

 

The Dynamic DNS Update settings relate to DHCP server settings when you enable a DHCP server on the FTD. See Step Step 6 for more information.

Step 6

If you enable the DHCP server on an FTD, you can configure DHCP server settings for DDNS.

To enable the DHCP server, see Configure the DHCP Server). You can configure the server behavior when DHCP clients use the standard DDNS update method. If the server performs any updates, then if the client lease expires (and is not renewed), the server will request that the DNS server remove the RRs for which it was responsible.

  1. You can configure server settings globally or per interface. For global settings, see the main DDNS page. For per-interface settings, see the DDNS Interface Settings page. Interface settings take precedence over global settings.

  2. Configure which DNS RRs you want the DHCP server to update under Dynamic DNS Update.

    • Not Selected—DDNS updates are disabled, even if the client requests them.

    • Only PTR—Enables DDNS updates. If you enable the Override DHCP Client Requests setting, then the server will only update the PTR RR. Otherwise, the server will update RRs that the client requests. If the client does not send an update request with the FQDN option, the server will request an update for both A and PTR RRs using the hostname discovered in DHCP option 12.

    • Both A and PTR Records—Enables DDNS updates. If you enable the Override DHCP Client Requests setting, then the server will update both the A and PTR RRs. Otherwise, the server will update RRs that the client requests. If the client does not send an update request with the FQDN option, the server will request an update for both A and PTR RRs using the hostname discovered in DHCP option 12.

  3. To override the update actions requested by the DHCP client, check Override DHCP Client Requests.

    The server will reply to the client that the request was overridden, so the client does not also try to perform updates that the server is performing.

Step 7

(Optional) Configure general DHCP client settings. These settings are not related to DDNS, but are related to how the DHCP client behaves.

  1. On the DDNS page, check Enable DHCP Client Broadcast to request that the DHCP server broadcast the DHCP reply (DHCP option 1).

  2. To force a MAC address to be stored inside a DHCP request packet for option 61 instead of the default internally generated string, on DDNS > DHCP Client ID Interface, choose the interface from the Available Interfaces list, and then click Add to move it to the Selected Interfaces list.

    Some ISPs expect option 61 to be the interface MAC address. If the MAC address is not included in the DHCP request packet, then an IP address will not be assigned. This setting does not directly relate to DDNS, but is a general DHCP client setting.

Step 8

Click Save on the Device page to save your changes.

Step 9

The Web method for DDNS also requires you to identify the DDNS server root CA to validate the DDNS server certificate for the HTTPS connection.

The following example shows how to add a DDNS server's CA as a trustpoint.

  1. Obtain the DDNS server CA certificate. This procedure shows a manual import using PEM format, but you can also use PKCS12.

  2. In FMC, choose Devices > Certficates, and click Add.

  3. Select a Device, and click Add (add icon).

    The Add Cert Enrollment dialog box appears.

  4. Enter the following fields, and click Save:

    • Enter a Name.

    • Choose Enrollment Type > Manual.

    • Click CA Only.

    • Paste in the CA text from step 9.a.

  5. Click Save.