01-18-2014 08:46 AM - edited 03-11-2019 08:32 PM
Right now we use OpenDNS for our webfiltering and have our ASA set to only allow DNS requests out to the OpenDNS servers we have configured. If any device tries to use a different DNS, like Google's, the ASA will just drop the traffic.
I know how to do this with iptables. Example;
iptables -I PREROUTING -t nat -p udp -d 8.8.4.4 --dport 53 -j DNAT --to-destination [OpenDNS server]iptables -I PREROUTING -t nat -p udp -d 8.8.8.8 --dport 53 -j DNAT --to-destination [OpenDNS server]
Right now our network is setup with 2 internal DNS, one primary and one backup, that direct all external requests to the OpenDNS servers.
In our ASA "dns guard' is enabled and have the below set as well.
access-list acl_in extended permit tcp host 172.17.0.20 host [OpenDNS server] eq domain
access-list acl_in extended permit udp host 172.17.0.20 host [OpenDNS server] eq domain
access-list acl_in extended permit tcp host 172.17.0.20 host [OpenDNS server] eq domain
access-list acl_in extended permit udp host 172.17.0.20 host [OpenDNS server] eq domain
access-list acl_in extended permit tcp host 172.17.0.21 host [OpenDNS server] eq domain
access-list acl_in extended permit udp host 172.17.0.21 host [OpenDNS server] eq domain
access-list acl_in extended permit tcp host 172.17.0.21 host [OpenDNS server] eq domain
access-list acl_in extended permit udp host 172.17.0.21 host [OpenDNS server] eq domain
I need to be able to foreward requests for Google's DNS (8.8.8.8, 8.8.4.4) to OpenDNS. Is this possible?
01-23-2014 07:42 AM
Hi Isom,
This is possible to accomplish on the ASA using static Destination NAT. What you will do is NAT any traffic destined to Google's DNS to an Open DNS server. An example is as follows:
object network googleDNS
host 8.8.8.8
object network OpenDNS
host 10.1.1.2
!
nat (Inside,Outside) source static any any destination static googleDNS OpenDNS
I hope it helps,
David.
02-24-2014 06:25 PM
David,
Thank you responding. Can this syntax be used for ASA version pre 8.3?
Also, the OpenDNS servers are external DNS servers. I need to route request for 1 external DNS server (Google) to another external DNS server (OpenDNS).
Thanks,
Isom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide