Change DNS 8.8.8.8 to a private DNS in Cisco ASA

johnlloyd_13 · ‎08-15-2023

hi,

I'm looking for a way how to set up a cisco asa to capture DNS queries to 8.8.8.8 and change/re-write them to another DNS server hosted in the "inside" using a private IP. we've got several remote sites breaking out on the ASA and by doing this we don't need to manually change each downstream user/client's DNS settings.

is there a feature or command to do this?

balaji.bandi · ‎08-15-2023

check below thread may help you and test and let us know : (you need to do tweak and other way around)

https://community.cisco.com/t5/network-security/asa-dns-redirect-forward/td-p/2225085

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13 · ‎08-16-2023

hi balaji,

thanks for the link! what do you mean by "tweak the other way around"?

can you give the complete config example that i could try?

marce1000 · ‎08-15-2023

- During a transition phase I would still advice to have clients get the correct and or new dns servers through DHCP , this may be faster (for the clients) and or you have more control over potential security issues ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Marius Gunnerud · ‎08-16-2023

You can do this using NAT or more accurately, twice NAT. Using this you will be able to translate the destination address.

--
Please remember to select a correct answer and rate helpful posts

johnlloyd_13 · ‎08-16-2023

hi marius,

yes, i read twice NAT before but haven't done it in a real world scenario (maybe this one does!).

can you give a config example for me to test it out?

Marius Gunnerud · ‎08-16-2023

Your NAT should look like this

object service obj_dns

service udp destination eq 53

nat (inside,outside) source static REAL_IP MAPPED_IP destination static MAPPED_IP REAL_IP service obj_dns obj_dns

--
Please remember to select a correct answer and rate helpful posts

johnlloyd_13 · ‎08-16-2023

hi,

i just got a new info that the "re-directed" DNS server is over the internet, therefore using a public IP, i.e. 123.1.2.3

should i write the twice NAT this way?

nat (outside,inside) source static 8.8.8.8 123.1.2.3 service udp domain domain

johnlloyd_13 · ‎08-16-2023

hi,

i found this link/blog and it's similar to what i'm trying to achieve.

https://traceroute.home.blog/2022/04/03/configuring-twice-nat/

just need someone to confirm if below config is correct?

basically, i'm using the "outside" interface for PAT the "inside" subnet then change/re-direct client's google DNS 8.8.8.8 to the "other" public DNS server 123.1.2.3.

object network INSIDE_SUBNET
host 192.168.1.0 255.255.255.0

object network GOOGLE_DNS
host 8.8.8.8

object network PUBLIC_DNS
host 123.1.2.3

nat (inside,outside) source static INSIDE_SUBNET interface destination static GOOGLE_DNS PUBLIC_DNS

balaji.bandi · ‎08-16-2023

that should work, you need to test it, any issue post the error here to help further.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marius Gunnerud · ‎08-16-2023

That is pretty much what I suggested above. But I would still suggest specifying the destination port of udp/53 instead of NATing all ports as you are only trying to redirect DNS to the server, correct? Google DNS is quite a popular IP to test / troubleshoot with ping and traceroute.

Also, keep in mind that 8.8.4.4 is also a google DNS IP so you might want to add a NAT statement for this one also.

--
Please remember to select a correct answer and rate helpful posts