Local reverse DNS lookup to ASA 5512

Hello,

I’m running PI-hole as a internal DNS server whereas I use my ASA 5512 as DHCP server. The issue is that in the reports from PI-hole contain only the IP addresses of all the connected devices and not the FQDN or simply the hostname. Hence I’ve enabled the conditional forward / reverse DNS lookup towards my ASA however all the UDP/53 requests are discarded, and I haven’t found a way to enable the lookup. What would be the correct configuration of the ASA to fetch the host names.

Any suggestions are highly appreciated.

Thanks!

Hello Filip

I’m not quite clear as to what you want to achieve. You want the DNS server to obtain FQDNs for the hosts from the ASA which is the DHCP server? Reverse DNS would not achieve this since no FQDNs are stored within the ASA itself. If you look at an example of DHCP bindings in an ASA you’ll see something similar to this:

NWLASA1# show dhcpd binding 

IP address       Client Identifier        Lease expiration        Type

   10.56.100.11  ff9f.6e85.2400.0200.           1808 seconds    Automatic
                 00ab.1169.b025.e3c0.
                 9d7c.11
   10.56.101.10    0100.0c29.0505.5a            2840 seconds    Automatic
   10.56.101.12    0100.0c29.0505.64            2840 seconds    Automatic
   10.56.101.14       000c.29ed.ff47            3037 seconds    Automatic

This includes only identifiers, no hostnames.

I would suggest that the problem is independent of the ASA. It has to do with the ability of the DNS server to resolve the IP addresses to the hostnames of the internal hosts. However, to determine if the ASA is to blame, I suggest you connect a host directly to the same subnet as the Pi-hole bypassing the ASA to see if you have similar results. If it does end up that the ASA is the problem, then you can attempt to permit the appropriate ports. I suggest you take a look at this lesson for more details about that.

I hope this has been helpful!

Laz

Hello Laz,

Thank you for the reply. However I’m still puzzled for the local hostname lookups or revers lookups.

Whilst when Pi-hole is acting as DHCP server, clients requesting an IPv4 lease will also provide a hostname, and Pi-hole’s embedded dnsmasq will create the appropriate DNS records, Those records will then be considered whenever a client requests local (reverse) lookups. Surly this is not happening as ASA is acting as DHCP server and does not store (or at least) does not provide path to retrieve the local DNS hostnames.
The DNS server is configured with conditional forwarding to divert local queries to ASA, however ASA does not have any service which responds to the request.

Nonetheless it seems that ASA does store information on clients !? - Could you explain the difference between these two logs entries ?

image

Is there any way to forward these Dynamic DNS updates to another DNS server?

Thank you in advance.
Filip

Hi Filip,

I looked up these syslog messages. The first one (710005) makes sense:

Explanation The ASA does not have a UDP server that services the UDP request. Also, a TCP packet that does not belong to any session on the ASA may have been discarded.

There is no DNS server on the ASA so it discards these DNS packets.

The second (331002) shows that the ASA does register something locally:

Explanation A dynamic DNS update succeeded in the DNS server.

And the last one (331001) shows that it was unable to register something with the DNS server.

Explanation: The dynamic DNS subsystem failed to update the resource records on the DNS server. This failure might occur if the ASA is unable to contact the DNS server or the DNS service is not running on the destination system.

I’m guessing you can reach the pi-hole DNS server from your ASA?

I’m not exactly sure what the ASA did when it shows syslog 331002. Does this show up when the device just got an IP address?

Do you have any of the DDNS settings configured on your ASA?

You configure the DDNS update settings for the DHCP server in the Dynamic DNS Settings for DHCP Server area. Check the Update DNS Clients check box to specify that, in addition to the default action of updating the client PTR resource records, the selected DHCP server should also perform the following update actions:

Check the Update Both Records check box to specify that the DHCP server should update both the A and PTR RRs.

Check the Override Client Settings check box to specify that the DHCP server actions should override any update actions requested by the DHCP client.

This might be a way to get those device records in your pihole DNS server. I haven’t tried this before though.

Rene