Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1519
Views
0
Helpful
2
Replies

ASA 5525x DNS Lookup on Outside Interface

Go to solution
rrobinson2191
Level 1
Level 1

‎11-12-2019 09:05 AM

Good Morning,

 

We recently changed our internal DNS Servers and were looking to change them on the firewall.  When we did, the firewall was no longer able to resolve addresses.  We failed back but noticed that in the ADSM that the outside interface was set to "true" and inside was set to "false".  (See picture attached)  We changed the inside to true and it started working.  However, we aren't sure if the outside interface should be set to true or false as best practice for security.

 

Any thoughts?

 

Thanks in advance

 

 

Labels:
Preview file
8 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-12-2019 10:46 AM

The answer to your question depends on whether you want the ASA to be able to send DNS requests out the outside interface. While it might seem logical to assume that the safest practice is to not enable DNS requests on the outside interface you should be aware that some functions on ASA require DNS:

Some ASA features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database; and Cisco Smart Software Licensing needs DNS to resolve the License Authority address. Other features, such as the ping or traceroute command, let you enter a name that you want to ping or traceroute, and the ASA can resolve the name by communicating with a DNS server. Many SSL VPN and certificate commands also support names.

see this link for more details

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/d3.html

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-12-2019 10:46 AM

The answer to your question depends on whether you want the ASA to be able to send DNS requests out the outside interface. While it might seem logical to assume that the safest practice is to not enable DNS requests on the outside interface you should be aware that some functions on ASA require DNS:

Some ASA features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database; and Cisco Smart Software Licensing needs DNS to resolve the License Authority address. Other features, such as the ping or traceroute command, let you enter a name that you want to ping or traceroute, and the ASA can resolve the name by communicating with a DNS server. Many SSL VPN and certificate commands also support names.

see this link for more details

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/d3.html

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
rrobinson2191
Level 1
Level 1
In response to Richard Burts

‎11-13-2019 07:47 AM

Thanks for the reply. I think our settings got crossed and we need to have it set to true based on your answer.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card