https://community.cisco.com/t5/network-security/forward-dns-request-to-external-dns/m-p/2371635#M271263 <HTML><HEAD></HEAD><BODY><P>David,</P><P></P><P>Thank you responding. Can this syntax be used for ASA version pre 8.3? </P><P></P><P>Also, the OpenDNS servers are external DNS servers. I need to route request for 1 external DNS server (Google) to another external DNS server (OpenDNS). </P><P></P><P>Thanks, </P><P></P><P>Isom</P></BODY></HTML> Tue, 25 Feb 2014 02:25:26 GMT isomdr 2014-02-25T02:25:26Z https://community.cisco.com/t5/network-security/forward-dns-request-to-external-dns/m-p/2371633#M271257 <P>Right now we use OpenDNS for our webfiltering and have our ASA set to only allow DNS requests out to the OpenDNS servers we have configured. If any device tries to use a different DNS, like Google's, the ASA will just drop the traffic. </P><P></P><P>I know how to do this with iptables. Example;</P><P></P><PRE style="box-sizing: border-box; word-wrap: break-word; white-space: pre-wrap; color: #666666; background-color: #ffffff; line-height: 0.48cm;"><DIV style="box-sizing: border-box; line-height: 18px; word-wrap: break-word;">iptables -I PREROUTING -t nat -p udp -d 8.8.4.4 --dport 53 -j DNAT --to-destination [<STRONG style="box-sizing: border-box; line-height: 0.48cm;">OpenDNS server]</STRONG></DIV><DIV style="box-sizing: border-box; line-height: 18px; word-wrap: break-word;">iptables -I PREROUTING -t nat -p udp -d 8.8.8.8 --dport 53 -j DNAT --to-destination [OpenDNS<STRONG style="box-sizing: border-box; line-height: 0.48cm;"> server]</STRONG></DIV></PRE><P></P><P></P><P>Right now our network is setup with 2 internal DNS, one primary and one backup, that direct all external requests to the OpenDNS servers.</P><P></P><P>In our ASA "dns guard' is enabled and have the below set as well.</P><P></P><P>access-list acl_in extended permit tcp host 172.17.0.20 host [OpenDNS server]<SPAN style="font-size: 10pt;"> eq domain</SPAN></P><P>access-list acl_in extended permit udp host 172.17.0.20 host [OpenDNS server]<SPAN style="line-height: 18.141733169555664px; color: #666666; background-color: #ffffff; white-space: pre-wrap; font-family: monospace; "><STRONG> </STRONG></SPAN><SPAN style="font-size: 10pt;">eq domain</SPAN></P><P>access-list acl_in extended permit tcp host 172.17.0.20 host [OpenDNS server] eq domain</P><P>access-list acl_in extended permit udp host 172.17.0.20 host [OpenDNS server] eq domain</P><P>access-list acl_in extended permit tcp host 172.17.0.21 host [OpenDNS server] eq domain</P><P>access-list acl_in extended permit udp host 172.17.0.21 host [OpenDNS server] eq domain</P><P>access-list acl_in extended permit tcp host 172.17.0.21 host [OpenDNS server] eq domain</P><P>access-list acl_in extended permit udp host 172.17.0.21 host [OpenDNS server] eq domain</P><P></P><P>I need to be able to foreward requests for Google's DNS (8.8.8.8, 8.8.4.4) to OpenDNS. Is this possible?</P> Tue, 12 Mar 2019 03:32:17 GMT https://community.cisco.com/t5/network-security/forward-dns-request-to-external-dns/m-p/2371633#M271257 isomdr 2019-03-12T03:32:17Z https://community.cisco.com/t5/network-security/forward-dns-request-to-external-dns/m-p/2371634#M271260 <HTML><HEAD></HEAD><BODY><P>Hi Isom,</P><P></P><P>This is possible to accomplish on the ASA using static Destination NAT.&nbsp; What you will do is NAT any traffic destined to Google's DNS to an Open DNS server.&nbsp; An example is as follows:</P><P></P><P></P><P>object network googleDNS</P><P> host 8.8.8.8</P><P>object network OpenDNS</P><P> host 10.1.1.2</P><P>!</P><P>nat (Inside,Outside) source static any any destination static googleDNS OpenDNS</P><P></P><P>I hope it helps,</P><P><BR />David.</P></BODY></HTML> Thu, 23 Jan 2014 15:42:53 GMT https://community.cisco.com/t5/network-security/forward-dns-request-to-external-dns/m-p/2371634#M271260 David White 2014-01-23T15:42:53Z https://community.cisco.com/t5/network-security/forward-dns-request-to-external-dns/m-p/2371635#M271263 <HTML><HEAD></HEAD><BODY><P>David,</P><P></P><P>Thank you responding. Can this syntax be used for ASA version pre 8.3? </P><P></P><P>Also, the OpenDNS servers are external DNS servers. I need to route request for 1 external DNS server (Google) to another external DNS server (OpenDNS). </P><P></P><P>Thanks, </P><P></P><P>Isom</P></BODY></HTML> Tue, 25 Feb 2014 02:25:26 GMT https://community.cisco.com/t5/network-security/forward-dns-request-to-external-dns/m-p/2371635#M271263 isomdr 2014-02-25T02:25:26Z