Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

DNS USING DHCP ON CISCO ASA

Hi All,

We have an ASA configured to act as a DHCP server on a customer network. Yesterday, their ISPs primary DNS server failed leading to them not being able to reach websites due to a DNS issue. We very quickly found the the problem and reported to ISP. However, the ASA did not hand out any other DNS address that had been configured as secondary addresses. Here is the simple line of config on the ASA we have as part of the DHCP server.

dhcpd dns 194.194.194.194   212.212.212.212 interface Inside     (IP addresses have been changed)

In this example I thought that if 194.194.194.194 (primary) fails then the ASA should send out the secondary DNS address to the DHCP clients to ensure continued connectivity. Just as a point of interest we had exactly the same issue with one of the windows PCs that had been configured with a static LAN address and static DNS servers, primary and secondary. When the ISPs DNS server went down this PC also did not force a change to the secondary address. Our Microsoft guys are working on that one.

Would someone please explain what we have missed ?? Is there some additional config that flushes the DNS cache in the event of failure of the active DNS server address?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

DNS USING DHCP ON CISCO ASA

Windows does validate DNS server reachability, which is how it determines to use the secondary. You can do some searches to see exactly how it works.

As long as the second DNS server was active, the clients should have used it. Are you sure that DNS server was available and serving requests? Have you done any lookups on the secondary to make sure it works right? Is the proper traffic permitted through the firewall for that secondary DNS server?

On the static assigned machine, have you flipped the priority to test?

Maybe after-hours you can block access to the primary DNS on your firewall and run some captures on the clients to see if DNS requests are going out to the secondary as expected.

The ASA does not validate the reachability of DNS servers before assigning them. As far as I know, no DHCP servers do that. They are providing the settings to clients that you tell them to.

4 REPLIES

DNS USING DHCP ON CISCO ASA

The clients using DHCP should have both of those DNS servers defined. If you do ipconfig /all, what do you see?

The ASA won't give out only 1 address until the primary fails. It provides both to the client and it's up to the client to decide when to use the primary vs. secondary. The secondary will only be used if the primary is unreachable.

What did the ISP say the issue was? If the server was still up during the issue, the clients may not have ever done a query to the secondary DNS server.

Community Member

DNS USING DHCP ON CISCO ASA

Hi Robert,

Thanks for reply.

If we do ipconfig /all on the PCs we can see both primary and secondary DNS servers listed. In my opinion therefore windows should somehow validate the route to the primary DNS server and if no route is available it should hop over to the secondary DNS server, but that does not happen on any PCs we have so far tried. The ISP has not provided a reason as to the outage of their primary DNS server, except gave us an estimate of a fix time. When this occurred we could not ping the primary DNS server at all, so it is our opinion that the clients should have automatically switched over to the secondary. I am not a Microsoft engineer, but our in house MS engineer is also puzzled by this issue.

On a Cisco point does anyone know if the ASA / Routers validate the reachability of the DNS servers before assigning them through a DHCP request?

Any help greatly appreciated.

Thanks,

DNS USING DHCP ON CISCO ASA

Windows does validate DNS server reachability, which is how it determines to use the secondary. You can do some searches to see exactly how it works.

As long as the second DNS server was active, the clients should have used it. Are you sure that DNS server was available and serving requests? Have you done any lookups on the secondary to make sure it works right? Is the proper traffic permitted through the firewall for that secondary DNS server?

On the static assigned machine, have you flipped the priority to test?

Maybe after-hours you can block access to the primary DNS on your firewall and run some captures on the clients to see if DNS requests are going out to the secondary as expected.

The ASA does not validate the reachability of DNS servers before assigning them. As far as I know, no DHCP servers do that. They are providing the settings to clients that you tell them to.

Community Member

DNS USING DHCP ON CISCO ASA

Hi Robert,

We found the issue on a windows server was causing the problem, so thanks for your help. As your response helped to clarify how windows handles primary and secondary DNS entries this put us on the right track so I have selected correct answer.

Thank you.

330
Views
0
Helpful
4
Replies
CreatePlease to create content