I'm sorry, but I think that it is not what I need.

I want to catch all the DNS queries, which are going outside and send them to my local DNS server.

Hi,

Ah, I misunderstood your question.

Would it be possible for you to restrict access to all public DNS server with the exception of your internal DNS server for forward lookup requests, and point all your clients/servers at your local server directly;

1. Manual configuration

2. DHCP scope configuration 

I do not recall a feature or configuration that would enable this functionality.

It is possible via NAT, but I can't somehow figure out correct syntax.

Doesn't work:

object network DNS
 host 192.168.99.12
object network all
subnert 0.0.0.0 0.0.0.0
object network DNS
 nat (outside,inside) static all service udp domain domain

Hi,

I don't see this working, as that would most likely break other DNS NATs you may have in place.

As mentioned, I'm unaware of a native feature on the ASA that would enforce this, however you may want to consider the Cisco ASA CX module depending on the particular ASA you are running.

Hello,

Not an ideal scenario where we end up configuring destination nat for single ip to a subnet of 0.0.0.0/0 and also since this would be a u-turning scenario.

But we can try if that is needed. Please try this in a downtime.

object network DNS
 host 192.168.99.12
object network all
subnert 0.0.0.0 0.0.0.0

hostname(config)# object service dns-real

hostname(config-service-object)# service udp destination eq 53

hostname(config)# object service dns_mapped

hostname(config-service-object)# service udp destination eq 53

nat (inside,inside) 1 source dynamic any interface destination static all DNS service dns-mapped dns-real

same-security-traffic permit intra-interface

HTH

-

AJ