Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5931
Views
5
Helpful
2
Replies

DNS on ASA 5505

johnlloyd_13
Level 9
Level 9

‎10-25-2013 10:21 AM - edited ‎03-11-2019 07:56 PM

hi all,

i tried to configure another DNS server group (DNS_SERVER) on my 5505 but it doesn't work.

but DNS translation works when i configured it under DefaultDNS.

could someone englighten me why is this so?

ASA5505# ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/50 ms

ASA5505# ping www.cisco.com

                          ^

ERROR: % Invalid Hostname

ASA5505# sh run dns

dns domain-lookup inside

dns domain-lookup outside

DNS server-group DNS_SERVER

    name-server 8.8.8.8

    name-server 4.2.2.2

DNS server-group DefaultDNS

    domain-name home.com

ASA5505(config)# no DNS server-group DefaultDNS

ERROR: dns server-group <DefaultDNS> is in use by  tunnel-group <DefaultL2LGroup>. Please remove the relevant  configuration before removing the dns server-group.

ASA5505(config)# DNS server-group DefaultDNS

ASA5505(config-dns-server-group)# name-server 8.8.8.8

ASA5505(config-dns-server-group)# name-server 4.2.2.2

ASA5505(config-dns-server-group)# end

ASA5505# ping www.cisco.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 23.58.16.170, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/70 ms

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎10-25-2013 11:04 AM

Hi,

I did have to deal with a problem a bit related to this a week ago but the thing you are asking I have not tried so I did some quick tests on my own ASA.

It seems to me that all the Default "tunnel-group" holds this "dns server-group DefaultDNS" in them so I went and configured a dummy "dns server-group" and changed it to all the "tunnel-group". I then tried to remove the "dns server-group DefaultDNS". It accepts the command but does nothing. As in it doesnt remove the "DefaultDNS"

I then checked the Command Reference but it doesnt provide much help with regards to giving specific information about this command "dns server-group". It just states that the "DefaultDNS" is the default setting. It does seem to sugges that configuring "dns server-group" would be solely meant for VPN purposes and this was actually what I was dealing with a week ago.

Here is the Command Reference section from the latest version

 dns server-group 
 To specify the domain name, name server, number of retries, and timeout  values for a DNS server to use for a tunnel group, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this command. 
dns server -group name 
no dns server-group 
 Syntax Description

 


 name 

 Specifies the name of the DNS server group configuration to use for the tunnel group.

I was trying to set different "dns server-group" with the command "dns-group" under the "tunnel-group webvpn-attributes" but essentially what happened was that the ASA would not use anything but the "dns server-group DefaultDNS". I suspect that this is related to me using the default "tunnel-group" for all incoming WebVPN Clientless connections and therefore the only option is to use the "dns server-group DefaultDNS" so I had to scrap that idea for now (cant have the same "dns server-group" for all the users which need to use the default "tunnel-group"). Though I have not been able to go ahead with that setup because of some other issues that have to be resolved first.

I also checked the CCNP Security certification book about this subject and it doesnt shed any more light to this subject. It only goes to mention that the "dns server-group DefaultDNS" is the default one that ASA uses. No source doesnt  seem to bother to mention that this seems to be the only option/source if you want to use "dns domain-lookup " on the ASA to resolve name-to-ip.

So until I find some document to say otherwise I would have to guess that "dns server-group DefaultDNS" is the only option to use for the ASA to do DNS Lookups unless you are going to use the a NON default "dns server-group" with a WebVPN/Clientless VPN setup

But dont take my word for it. The above is just the things I have run into in the past couple of weeks.

By the way, if you want to see where the "dns server-group DefaultDNS" is used you can use the command

show run all tunnel-group

or perhaps

show run all tunnel-group | inc tunnel-group|dns

Probably not much help to you but thought I'd share what I have seen so far.

- Jouni

johnlloyd_13
Level 9
Level 9
In response to Jouni Forss

‎10-25-2013 11:32 AM

Jouni,

Thanks for your feedback and testing it out! It seem I'm stuck using the default DNS setup. If I remember correctly, I've tested using another DNS group to be working in GNS3.

I also didn't find this stated in FIREWALL course (not 100% sure).

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card