01-08-2010 10:05 AM - edited 03-11-2019 09:54 AM
Hi
I need local DNS Server to resolve Internet address for LAN users.
what steps are neeed on ASA to get it working.
DNS Server IP : 10.10.10.100/24
Core_Switch : Multiple VLANS and it has a statis route ( ip route 0.0.0.0 0.0.0.0 192.168.1.10 ) poinint to firewall
Firewall_IP : 192.168.1.10
VLANS
Vlan5
ip address 10.10.10.1 255.255.255.0
Vlan6
ip address 192.168.1.1 255.255.255.0
Vlan7
description user_vlan
ip address 10.100.200.1 255.255.252.0
Do I need to have a static NAT with public IP to make it working and what more steps are needed on ASA.
Thanks
ST
01-08-2010 12:05 PM
How do your internal users get a IP address? What do they receive as a DNS server. The ASA, depending on the config might only need an access-list entry and a translation. You dont need a public address for this. Can you post your config?
01-08-2010 09:45 PM
Hi,
We have One winows 2003 Domain controller acting as Dhcp and Dns for LAN Users.
Users get IP address and DNS from this Server.
On ASA I have inside, outside and a static NAT for OWA ( Outlook Web Access )
This static nat is private to public so anyone from outside can access Email using OWA
01-08-2010 11:12 PM
You can open DNS UDP port 53 in outbound direction for your AD server and configure forwarders in the DNS server setup.
You can use the public DNS server like 8.8.8.8 by google, or well known 4.2.2.2 or open DNS servers
As second option you can set up linux BIND internet caching server on your local network and configure AD DNS forwarder to that IP.
This will help to reduce load on AD and will not directly expose AD servers to internet.
Dileep
01-09-2010 02:01 AM
Hi
You want on Active Directory DNS Forwarder to use 8.8.8.8 or 4.2.2.2.
After the above steps.
When I do nslookup from my PC or any other PC on LAN, i get couple of times TIME-OUT and then reply.
Is this Normal?? it happens to almost all sites.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to amc.lan timed-out
> www.yahoo.com
Server: amc.lan
Address: 192.168.1.11
Non-authoritative answer:
DNS request timed out.
timeout was 2 seconds.
Name: www-real.wa1.b.yahoo.com
Address: 87.248.113.14
Aliases: www.yahoo.com
www.wa1.b.yahoo.com
01-09-2010 05:52 AM
saquib,
Are you able to browse the internet?
I see you are getting Non-authoritative answer: The first thing that you need to understand about NSLOOKUP is that when you use the NSLOOKUP command, it assumes that you are querying a local domain on your private network. You can query an external domain in your case yahoo.com, but NSLOOKUP will try to search for the domain internally first. For example, the yahoo.com domain is external to your network. Non-authoritative answer is when NSLOOKUP queries an external domain.
Couple of things to check on your DNS server to get you to browse the internet via your Internal DNS server.
1, make sure your DNS Forwarders are configured correctly. You should be using your ISP DNS servers as forwarders. Contact you ISP to get details.
2, Make sure you have the reverse lookup zone configured correctly, and enable it to accept dynamic updates
3, Please Post ipconfig /all for your DNS server and one of your PC. - Your DNS server should have itslef as DNS server and your host PC's should also have your internal DNS server as their DNS server.
4, Can the server access the internet? Is this the only server in the domain or are there other dc's. Also are they all windows DNS.
Also you do not need to open any port or make any inbound NAT change on you FW to your inside DNS server. Just make sure DNS is permitted outbound.
You can also check out this which is a useful checklist for starters,
HOW TO: Configure DNS for Internet Access in Windows
http://support.microsoft.com/default.aspx?scid=kb;EN-US;300202
Hope that helps
francisco
01-09-2010 06:50 AM
Hi
I am able to browse internet but very slow
when I do nslookup, i get timeout 5/3 attempts, this could cause slow browsing, I suspect??
01-10-2010 10:36 PM
Can update the root Hint , by using copy from server option in DNS server properties.
Also make sure that you have configured forwarders in all your DNS server.
I have second setup mentioned in earlier post, and do not have any issue with DNS external query.
Keep in mind that for each new domain query DNS server should get replay from external servers, so that first query it will take more time compared to successive queries.
Timeout also casue by external DNS server issues, try to use other servers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide