Can the ASA split DNS its own DNS queries

dennylester · ‎02-09-2017

We have an ASA at a branch site connected to an Internet broadband connection. This ASA can successfully query the ISP's DNS servers when doing things like ping hostname or traceroute hostname.

This ASA establishes an IPsec tunnel (L2L) back to the home office. Once this tunnel is up, we'd like the ASA to use the DNS servers at the home office to resolve any URL that contains our internal domain name, but continue to use the ISP's DNS server for resolving all other domain names.

I just want to clarify, I'm not talking about Windows clients behind, or VPNing into, the ASA, I'm talking about the ASA itself being a DNS client. I've come across numerous articles talking about tunnel-group configurations, but they always seem to apply to VPN clients connecting to the ASA and receiving split DNS configuration, nothing about the ASA being the client.

Is it possible to configure an ASA to do this?

Our end goal is to stop hardcoding IP's for remote endpoints into a bunch of our ASA configurations and rely on DNS.

Denny

Rahul Govindan · ‎02-09-2017

I do not think this is possible. DNS is sent based on the DNS-server-group config on the ASA.You can make different dns groups active at different times but not based on domain (split-dns).

But to clarify, even if you need to do the above, the ASA needs to act as a DNS proxy in order to do relay requests to the remote DNS server on behalf of users sitting behind it. This functionality does not exist on the ASA at this point.

dennylester · ‎02-13-2017

Hi Rahul,

Thank you for confirming what I suspected.

We came up with a solution. Since ASA tries each DNS server in order, we specified our internal DNS servers first and the public DNS servers second. When the IPsec tunnel is down, the internal DNS queries will fail and the public DNS servers will be used. When the IPsec tunnel is up, our internal DNS servers will be utilized.