0

I have a Windows 2016 server acting as a DHCP and DNS server for a small network. I have it configured such that when a client gets DHCP, it adds the client to DNS as well. This works great for the local subnet, but for the two subnets that go through a DHCP Relay Agent (A Cisco router in this case), no DNS entry is created for the client.

The Scope properties are configured identically, and I've tried it with and without "Always Dynamically Update DNS records", with the same result. I've setup the Credentials for the DHCP server, no change there either.

The clients get DHCP just fine, their DNS server is pointed to the same server that is also the DHCP server. There are no firewall rules blocking traffic between the subnets. I'm at a loss.

Any ideas?

Brad Silva
  • 93
  • 1
  • 6

1 Answers1

0

This sounds like the extra information is being stripped between the subnet and the DNS server. The protocols know how to handle the IP information in order to execute DORA, but newer operating systems seem to want to strip information that doesn't seem to be relevant to the integrity of packet exchange.

Your distribution-level routers should know that their subnets exist on the same DNS. If the only nodes you can't view what the DNS information is are on the subnets, then the distribution-level routers are stripping it.

If DNS information isn't even available from your distribution-level routers, Windows is likely stripping the information.

I can recommend running Wireshark on your Windows Server 2016 machine while executing "nslookup" or "dig" on your subnet nodes to view the generated traffic while looking for changes in packets.

Shankensteinium
  • 16
  • 2
  • I'm almost sure you've pegged it. The router in this case is a Cisco ASA. It hadn't occurred to me that the DHCP relay agent might be stripping the hostname from the request. I dug around and found that by default, it appears that the ASA does just that. You have to enable a trust relationship with the originating network. I'll test it in the morning and document the result. – Brad Silva May 11 '17 at 02:19
  • 1
    That was it. The Cisco ASA strip identifiable information by default. You need to add "dhcprelay information trusted" to each source interface. Reference: "http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/basic-dhcp-ddns.pdf" – Brad Silva May 11 '17 at 17:21