cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15814
Views
0
Helpful
6
Replies

DNS forwarding with an ASA

jeff.carr
Level 1
Level 1

I need to be able to use the 'inside' IP address of an ASA 5510 (v8.2) as the recognized DNS server configured in TCP/IP settings on internal workstations.

I understand that the ASA cannot act as a DNS server, but can the "ip dns server" and "ip name-server x.x.x.x" commands  be used to forward DNS requests to a know DNS server? If not, is there a known method to have the ASA forward a DNS request to a known DNS server?


Thanks.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

jeff.carr wrote:

I need to be able to use the 'inside' IP address of an ASA 5510 (v8.2) as the recognized DNS server configured in TCP/IP settings on internal workstations.

I understand that the ASA cannot act as a DNS server, but can the "ip dns server" and "ip name-server x.x.x.x" commands  be used to forward DNS requests to a know DNS server? If not, is there a known method to have the ASA forward a DNS request to a known DNS server?


Thanks.

Jeff

You could try this -

static (outside,inside) udp interface 53 53

Let me know if it works.

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

jeff.carr wrote:

I need to be able to use the 'inside' IP address of an ASA 5510 (v8.2) as the recognized DNS server configured in TCP/IP settings on internal workstations.

I understand that the ASA cannot act as a DNS server, but can the "ip dns server" and "ip name-server x.x.x.x" commands  be used to forward DNS requests to a know DNS server? If not, is there a known method to have the ASA forward a DNS request to a known DNS server?


Thanks.

Jeff

You could try this -

static (outside,inside) udp interface 53 53

Let me know if it works.

Jon

Thanks for the response, Jon.

Port forwarding seems like an available option. The only concern I have is that the known DNS server is on the internal network, so the command would have to look more like this.

static (inside,inside) udp interface 53 53  netmask 255.255.255.255

Any reason this should be a problem?

Jeff,

So is your DNS server on the inside along with your DNS clients and you want to hairpin on the ASA's inside?

If that is the case you need the "static (inside,inside)" and the command "same-security-interface permit intrA".

There would be a problem only if you have another static that conflicts with the static above.

I hope it helps.

PK

jeff.carr wrote:

Thanks for the response, Jon.

Port forwarding seems like an available option. The only concern I have is that the known DNS server is on the internal network, so the command would have to look more like this.

static (inside,inside) udp interface 53 53  netmask 255.255.255.255

Any reason this should be a problem?

Jeff

I'm confused now. If the DNS server is on the inside then why do the clients have to bounce off the ASA, are they in a different subnet and are both subnets routed off the ASA ?

If so then PK has provided the answer.

Jon

PK and Jon, thanks for the attention. I believe the static (inside,inside) rule will be the best solution for this issue.

We are replacing an existing firewall that is also capable of acting as a DNS server. Internal users are all configured with statically assigned TCP/IP settings which identify the default gateway and the DNS server by the same IP address. We are trying to avoid having to change DNS server settings on all internal devices to accomodate the change in firewalls. DNS settings on the internal devices will likely be changed, just not wanting to have to address it during the firewall maintenance window. So I guess this is more of a workaround, not a final solution.

Thanks again.

Keep in mind that you will have asymmetric routing, but since it is stateless dns it won't matter.

In other words the host will be sending to the ASA, the ASA will be forwarding to the dns server. But if the server and the host are in the same subnet the dns server will be sending back to the client without going through the ASA. For UDP this will not cause issues. If it was TCP you would have stateful inspection issue because the ASA would be seeing only half the flow.

If the thread is solved, please mark it as such so others can benefit from it in the future.

PK

Review Cisco Networking for a $25 gift card