@MHM Cisco Worldi did not get your point, can you explain it to me. what is SW ?

and currently my client IP setting on which internet is working is given below for your kind consideration.

IP = 192.168.2.10
Subnet = 255.255.255.0

Gateway = 192.168.2.40

DNS1 = 192.168.2.2

DNS2 = 8.8.8.8

with the IP Settings give above client can access the internet but when i remove the DNS2 which is 8.8.8.8 then client is not able to use the internet. i dont know how to make it work to give the internet connectivity to client with only one DNS which is 192.168.2.2 or using the same Gateway IP in DNS2 as well.

@Marius Gunnerudi have a DNS installed on the domain controller, i have resources problem thats why i am using DNS DHCP and AD on one same server,

isnt there anyway i can do these settings.

or another approach is, can i configure it like that in which i can use the Cisco ASA IP which is 192.168.2.40 in the DNS part to make internet working on client side ?

Is the Server able to resolve domains?  for example, if you open the command prompt and enter nslookup google.com do you get a reply that shows the IP of google.com?

@Marius Gunnerudno i am not able to get proper response when i do nslookup for google.com or any other website, because right now i am not using internet on the domain controller, but even when i allow internet access on domain controller at that time i am still not able to lookup google.com except only the clients which are inside the domain darson.local.

The issue is that the DNS server doesn't know where to find information when performing lookups. What do you access rules on the ASA look like for access from the DNS server to internet?  My guess is that DNS request traffic is being blocked from the DNS towards internet.

Check the rules on the firewall and make sure that at least UDP/53 is allowed from the DNS server towards the internet, then add 8.8.8.8 as a DNS on the server, and test again.

@Marius Gunnerudi have added a UDP port 523 rule in firewall in windows domain controller, and added dns 8.8.8.8 in ip settings, i can access the internet, but i am not able to lookup for google.com, hotmail.com anything, but internet is working on the client, i am trying to add dns forwarder in dns its resolving 8.8.8.8 to dns.google.com but when i am applying the settings its giving me error and after i click on OK button and then apply, after applying when i come to dns forwarder again the 8.8.8.8 entry doesnt show there, i am attaching screen shot please check and acknowledge please.

When I asked about if port UDP/53 was opened for in the firewall, I did not mean the Windows firewall, but instead the ASA firewall.

However, it sounds like your server is not performing recursive lookup.  Try the following troubleshoot steps that I found on Microsoft support site.

https://docs.microsoft.com/en-us/windows-server/networking/dns/troubleshoot/troubleshoot-dns-server#to-view-the-current-root-hints

Checking for recursion problems

For recursion to work successfully, all DNS servers that are used in the path of a recursive query must be able to respond and forward correct data. If they can't, a recursive query can fail for any of the following reasons:

• The query times out before it can be completed.

• A server that's used during the query fails to respond.

• A server that's used during the query provides incorrect data.

Start troubleshooting at the server that was used in your original query. Check whether this server forwards queries to another server by examining the Forwarders tab in the server properties in the DNS console. If the Enable forwarders check box is selected, and one or more servers are listed, this server forwards queries.

If this server does forward queries to another server, check for problems that affect the server to which this server forwards queries. To check for problems, see Check DNS Server problems. When that section instructs you to perform a task on the client, perform it on the server instead.

If the server is healthy and can forward queries, repeat this step, and examine the server to which this server forwards queries.

If this server does not forward queries to another server, test whether this server can query a root server. To do this, run the following command:

nslookup
server <IP address of server being examined>
set q=NS

• If the resolver returns the IP address of a root server, you probably have a broken delegation between the root server and the name or IP address that you're trying to resolve. Follow the Test a broken delegation procedure to determine where you have a broken delegation.

• If the resolver returns a "Request to server timed out" response, check whether the root hints point to functioning root servers. To do this, use the To view the current root hints procedure. If the root hints do point to functioning root servers, you might have a network problem, or the server might use an advanced firewall configuration that prevents the resolver from querying the server, as described in the Check DNS server problems section. It's also possible that the recursive time-out default is too short.

@Marius Gunnerudi have done some steps, i have removed my domain contoller IP which is 192.168.2.2 from forwarder, and i have added only 8.8.8.8 in forwarder and also deleted all the root hints and applied and save the settings. now i am able to do nslookup on everything  (my internal clients, www.google.com, www.hotmail.com) a screen shot is attached for your kind consideration. please check and acknowledge and tell me what further i should do to give users internet access without mentioning the 8.8.8.8 in secondary dns ip. i want internet work on client with the primarry dns which is 192.168.2.2 and gateway which is 192.168.2.40 cisco asa. i appreciated your concern.

@Marius Gunnerudreally appreciated your concern, the issue is resolved now, users are not able to use internet with the DNS 192.168.2.2

i am sure this worked because i have enable the DNS services in cisco asa

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.2.2

domain-name DARSPN.LOCAL

and because of these settings internet is working when we are giving 192.168.2.2 in primary dns server. just want to confirm it if i am right or wrong.

anyway thanks for your concern and support .. really appreciated. you made my life easy ...