Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1389
Views
10
Helpful
3
Replies

Can an ASA Reference Multiple DNS Servers to Resolve FQDNs?

Go to solution
mwallette
Level 1
Level 1

‎05-24-2018 03:19 PM - edited ‎02-21-2020 07:48 AM

Suppose you have an ASA with multiple connections to the Internet, and that some of your hosts on your inside networks will typically use one Internet connection, while other hosts will typically use the second connection.  In such a scenario, is there a way to configure the ASA to always query both ISP1 and ISP2's DNS servers to resolve FQDN's in the ACL's on the ASA?  It seems to me like the ASA will only try to use a single DNS server to resolve FQDN's; if the query succeeds, it doesn't query any additional name servers.  However, if a host on one of my internal networks receives a different IP address for a DNS query than the ASA received, then the ACL won't match the outgoing packet, and the ASA will reject the traffic.

 

For example, suppose I have the following (partial) config on my ASA:

object network INSIDE1-SUBNET

 subnet 10.0.1.0 255.255.255.0

object network FOOBAR

 fqdn foo.bar.com

...

access-list INSIDE1-IN extended permit tcp object INSIDE1-SUBNET object FOOBAR eq 80

access-list INSIDE1-IN extended deny ip any any

 

If a host on my INSIDE1-SUBNET queries ISP1's DNS server for host foo.bar.com and gets 172.16.10.80 for the IP address, but the ASA is using ISP2's DNS server and gets 172.17.10.80 for the IP address (which can happen with DNS round robin, cached services, etc.), then my ACL will deny the traffic, since 172.16.10.80 != 172.17.10.80.

 

There are a number of reasons why I can't simply have all of the hosts use the same DNS servers as the ASA, which I have omitted for the sake of brevity.  Assuming that I cannot break this constraint (it's a management decision well above my pay grade), how can I resolve this problem?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎05-25-2018 12:38 AM

As far as I know the asa will query one dns server and if no answer move to the next one, so there is no simple solution to make fqdn work for dns servers responding with one IP at a time.

Solutions to this issue would be:

- have a single dns server answer the asa and clients

- use url filtering

 

HTH

Bogdan

View solution in original post

3 Replies 3

Go to solution
Bogdan Nita
VIP Alumni
VIP Alumni

‎05-25-2018 12:38 AM

As far as I know the asa will query one dns server and if no answer move to the next one, so there is no simple solution to make fqdn work for dns servers responding with one IP at a time.

Solutions to this issue would be:

- have a single dns server answer the asa and clients

- use url filtering

 

HTH

Bogdan

Go to solution
mwallette
Level 1
Level 1
In response to Bogdan Nita

‎05-25-2018 09:31 AM

That's pretty much what I expected, thanks.
0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6

‎05-25-2018 02:56 AM

I can only think of you spinning up an external DNS server that will reference all other DNS servers you need. Linux is much more flexible to whatever crazy scenario than ASA.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card