Showing results for 
Search instead for 
Did you mean: 

Frequent Contributor

DNS Doctoring..ish

I am looking to achieve the following -

Internal Client with Internal address but Public DNS server.

The default GW of Internal client is an ASA.

Is there a way for the ASA to "Intercept" the DNS lookup of a certain FQDN (e.g which is only resolvable via my internal dns servers and forward this request to one of these servers?

DNS doctoring seems to look at return IP addresses from public DNS servers and then do some magic based on that. I need to have the ASA recognise a FQDN within an initial DNS request and send that request to an Internal server.

Rising star



you question is not clear. Could you please give an example with ip addresses and that would make it more clear. Like who is client(source), where is web server(public ip and real ip) and where is the dns server etc,


Frequent Contributor

Scenario I would be using

Scenario I would be using this - (ISE/CWA)

Client connects to Guest SSID

Client receives Public DNS Servers as part of its DHCP config.

As part of my ISE policy, client will ultimately receive a CWA URL which is only resolvable by my Internal DNS servers

Client will do a DNS lookup for that URL which will be sent to the clients Public DNS servers (this traffic will traverse the ASA as it is the clients GW)

I want the ASA to be able to intercept this DNS request before it goes outside and to direct it to my Internal DNS.

I know there I can use IP in the CWA redirect but this is something I prefer not to do. I would like to achieve the above if possible.

Rising star

Well, we can do that but it

Well, we can do that but it would not be conditional. It will redirect all the requests going to external dns server to internal dns server. We will have to create a static NAT something like:

nat (inside,inside) source dynamic any interface destination static obj- obj- 

where obj- is the internal dns server ip address

obj- is the external dns server ip address

we are creating this dummy nat entry so that when traffic comes to inside interface for dns server), the source gets translated to inside interface and destination gets unNATED to dns server. The reason for PATing the source address is to ensure that reply packet comes to ASA and there is no asymetric routing. Since this is UDP traffic, I believe it should work without the source NAT as well but try it with source first if there is no issue.

**try to add this NAT at line 1. We would want to make sure that this takes preference.

also, add below command to allow u-turn:

same-security-traffic permit intra-interface




If you have SourceFire module

If you have SourceFire module on your ASA firewall you can use an option called Sinkhole and achieve this.


Hi Grant,

Hi Grant,

i solved this issue in this way :

My CWA url is somethng like so i asked my isp to publish this DNS record  to a public ip address, obviously from my own public addresses, let's say this address is So guest users obtaining public DNS servers are now resolving with ip but Guest page is not really published so is not reachable from outside, and is is somwething we want to do!

Then i configured DNS doctoring as per this link :

and all is fine!

You can also use public ip addresses not directly connected to your ASA firewall.

Hope this helps,



When you create CWA

When you create CWA authorization policy there is a option to assign static IP/Host name/FQDN, You can send IP of your PSN server or Load balancer. So client will get an IP in URL in place of domain name.

Attach is the screenshot.