10-25-2013 10:21 AM - edited 03-11-2019 07:56 PM
hi all,
i tried to configure another DNS server group (DNS_SERVER) on my 5505 but it doesn't work.
but DNS translation works when i configured it under DefaultDNS.
could someone englighten me why is this so?
ASA5505# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/50 ms
ASA5505# ping www.cisco.com
^
ERROR: % Invalid Hostname
ASA5505# sh run dns
dns domain-lookup inside
dns domain-lookup outside
DNS server-group DNS_SERVER
name-server 8.8.8.8
name-server 4.2.2.2
DNS server-group DefaultDNS
domain-name home.com
ASA5505(config)# no DNS server-group DefaultDNS
ERROR: dns server-group <DefaultDNS> is in use by tunnel-group <DefaultL2LGroup>. Please remove the relevant configuration before removing the dns server-group.
ASA5505(config)# DNS server-group DefaultDNS
ASA5505(config-dns-server-group)# name-server 8.8.8.8
ASA5505(config-dns-server-group)# name-server 4.2.2.2
ASA5505(config-dns-server-group)# end
ASA5505# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.58.16.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/70 ms
10-25-2013 11:04 AM
Hi,
I did have to deal with a problem a bit related to this a week ago but the thing you are asking I have not tried so I did some quick tests on my own ASA.
It seems to me that all the Default "tunnel-group" holds this "dns server-group DefaultDNS" in them so I went and configured a dummy "dns server-group" and changed it to all the "tunnel-group". I then tried to remove the "dns server-group DefaultDNS". It accepts the command but does nothing. As in it doesnt remove the "DefaultDNS"
I then checked the Command Reference but it doesnt provide much help with regards to giving specific information about this command "dns server-group". It just states that the "DefaultDNS" is the default setting. It does seem to sugges that configuring "dns server-group" would be solely meant for VPN purposes and this was actually what I was dealing with a week ago.
Here is the Command Reference section from the latest version
dns server-group
To specify the domain name, name server, number of retries, and timeout values for a DNS server to use for a tunnel group, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this command.
dns server -group name
no dns server-group
Syntax Description
name | Specifies the name of the DNS server group configuration to use for the tunnel group. |
I was trying to set different "dns server-group" with the command "dns-group" under the "tunnel-group
I also checked the CCNP Security certification book about this subject and it doesnt shed any more light to this subject. It only goes to mention that the "dns server-group DefaultDNS" is the default one that ASA uses. No source doesnt seem to bother to mention that this seems to be the only option/source if you want to use "dns domain-lookup
So until I find some document to say otherwise I would have to guess that "dns server-group DefaultDNS" is the only option to use for the ASA to do DNS Lookups unless you are going to use the a NON default "dns server-group" with a WebVPN/Clientless VPN setup
But dont take my word for it. The above is just the things I have run into in the past couple of weeks.
By the way, if you want to see where the "dns server-group DefaultDNS" is used you can use the command
show run all tunnel-group
or perhaps
show run all tunnel-group | inc tunnel-group|dns
Probably not much help to you but thought I'd share what I have seen so far.
- Jouni
10-25-2013 11:32 AM
Jouni,
Thanks for your feedback and testing it out! It seem I'm stuck using the default DNS setup. If I remember correctly, I've tested using another DNS group to be working in GNS3.
I also didn't find this stated in FIREWALL course (not 100% sure).
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide