topic Hi, in Network Security

Redirect DNS

filip00011 — Tue, 12 Mar 2019 08:42:36 GMT

Hello,

This is my goal: Inside users send DNS request onto any public DNS (Google, Comcast etc.) I want to catch it and redirect to my local DNS server. Let's say 192.168.99.12

I have ASA with code 9.6

Hi,

mattjones03 — Tue, 27 Dec 2016 00:03:52 GMT

Hi,

The feature you require is "DNS rewrite" / "DNS Doctoring". Here is a Cisco document with example configuration;

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115753-dns-doctoring-asa-config.html

I'm sorry, but I think that

filip00011 — Tue, 27 Dec 2016 00:09:15 GMT

I'm sorry, but I think that it is not what I need.

I want to catch all the DNS queries, which are going outside and send them to my local DNS server.

Hi,

mattjones03 — Tue, 27 Dec 2016 00:23:37 GMT

Hi,

Ah, I misunderstood your question.

Would it be possible for you to restrict access to all public DNS server with the exception of your internal DNS server for forward lookup requests, and point all your clients/servers at your local server directly;

1. Manual configuration

2. DHCP scope configuration

I do not recall a feature or configuration that would enable this functionality.

It is possible via NAT, but I

filip00011 — Tue, 27 Dec 2016 00:43:01 GMT

It is possible via NAT, but I can't somehow figure out correct syntax.

Doesn't work:

object network DNS
host 192.168.99.12
object network all
subnert 0.0.0.0 0.0.0.0
object network DNS
nat (outside,inside) static all service udp domain domain

Hi,

mattjones03 — Tue, 27 Dec 2016 10:17:55 GMT

Hi,

I don't see this working, as that would most likely break other DNS NATs you may have in place.

As mentioned, I'm unaware of a native feature on the ASA that would enforce this, however you may want to consider the Cisco ASA CX module depending on the particular ASA you are running.

Hello,

Ajay Saini — Tue, 27 Dec 2016 12:11:05 GMT

Hello,

Not an ideal scenario where we end up configuring destination nat for single ip to a subnet of 0.0.0.0/0 and also since this would be a u-turning scenario.

But we can try if that is needed. Please try this in a downtime.

object network DNS
host 192.168.99.12
object network all
subnert 0.0.0.0 0.0.0.0

hostname(config)# object service dns-real

hostname(config-service-object)# service udp destination eq 53

hostname(config)# object service dns_mapped

hostname(config-service-object)# service udp destination eq 53

nat (inside,inside) 1 source dynamic any interface destination static all DNS service dns-mapped dns-real

same-security-traffic permit intra-interface

HTH