Configuring dynamic DNS updates for Server Pools

The NGFW Engine can automatically update dynamic DNS (DDNS) entries for the Server Pool according to the available NetLinks.

The NGFW Engine removes the Server Pool IP addresses for NetLinks that are not available from the DNS entry, and adds the IP addresses back when the NetLink becomes available again. When the connecting client requests the Server Pool’s IP address from the DNS server, the client receives a list of IP addresses that only contains IP addresses that work.

NGFW Engines support the Dynamic DNS protocol and can send DDNS updates to a specified DNS server. If a network connection specified by a NetLink element fails, the dynamic DNS updates notify the DNS, which then removes the corresponding IP address from its records.

To configure DDNS updates, you must have already defined the necessary NetLinks and the Server Pool element. To use DDNS updates, you must set up a DDNS-capable DNS server in your network. The DNS server must be configured as the primary DNS server for the domain. Only IPv4 addresses are supported for DNS servers for DDNS updates.

CAUTION:
Although NGFW Engines support dynamic DNS updates, the protocol itself poses a security risk because there is no access control. If you must use dynamic DNS updates, do so only after careful research, planning, and testing.
There are actions you can take to improve the security of dynamic DNS updates:
  • Always place the DNS servers behind the NGFW Engine for protection from IP address spoofing.
  • Use BIND or an equivalent DNS server that allows you to define which hosts are allowed to send dynamic updates.
  • Consider using static DNS entries instead, as DDNS is not necessarily needed with inbound load balancing. In that case, the DNS entries are not removed automatically from the DNS server if an ISP fails, but you can sometimes solve these problems by other means. For example, some web browsers can automatically try other IP addresses if one address does not respond.

The configuration consists of the following general steps:

  1. Familiarize yourself with the security risks of implementing DDNS updates before proceeding with the configuration.
  2. To enable monitoring of the status of your NetLinks, add probe IP addresses in the NetLinks’ properties.
  3. Define an External DNS Server element.
  4. Edit the Server Pool element to include information about how the DNS server is updated.
  5. Edit the Firewall policy to allow DDNS updates.