11-12-2019 09:05 AM
Good Morning,
We recently changed our internal DNS Servers and were looking to change them on the firewall. When we did, the firewall was no longer able to resolve addresses. We failed back but noticed that in the ADSM that the outside interface was set to "true" and inside was set to "false". (See picture attached) We changed the inside to true and it started working. However, we aren't sure if the outside interface should be set to true or false as best practice for security.
Any thoughts?
Thanks in advance
Solved! Go to Solution.
11-12-2019 10:46 AM
The answer to your question depends on whether you want the ASA to be able to send DNS requests out the outside interface. While it might seem logical to assume that the safest practice is to not enable DNS requests on the outside interface you should be aware that some functions on ASA require DNS:
Some ASA features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database; and Cisco Smart Software Licensing needs DNS to resolve the License Authority address. Other features, such as the ping or traceroute command, let you enter a name that you want to ping or traceroute, and the ASA can resolve the name by communicating with a DNS server. Many SSL VPN and certificate commands also support names.
see this link for more details
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/d3.html
HTH
Rick
11-12-2019 10:46 AM
The answer to your question depends on whether you want the ASA to be able to send DNS requests out the outside interface. While it might seem logical to assume that the safest practice is to not enable DNS requests on the outside interface you should be aware that some functions on ASA require DNS:
Some ASA features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database; and Cisco Smart Software Licensing needs DNS to resolve the License Authority address. Other features, such as the ping or traceroute command, let you enter a name that you want to ping or traceroute, and the ASA can resolve the name by communicating with a DNS server. Many SSL VPN and certificate commands also support names.
see this link for more details
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/d3.html
HTH
Rick
11-13-2019 07:47 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide