We have several branch offices that only have a Cisco ASA 5505 connecting clients to the Internet, our main office and other networks. Some of the branch offices uses Site-to-Site VPN to connect to our main Office, other uses a VPN-service delivered by our ISP.
The networking is working fine, but we are having problems with figuring out how to handle dns lookups. I see that the ASA DNS Client can use conditional DNS forwarding, but it cannot act as a DNS server for our clients on the inside network.
We want to do the following:
- Default dns quires should use the DNS servers for the site's local ISP (some sites also uses dual ISP, so we are using DNS1 and DNS2)
- The domain name: company.local should use our main office DNS server (acces by Site-to-Site VPN or our ISP's VPN)
- The domain name: sitea.company.local should use our SiteA DNS server (acces by Site-to-Site VPN or our ISP's VPN)
We have solved the issue by using Windows DNS server's conditional forwarding for the branch offices that has a local Windows 2008 domain controller.
So my question is: how do we solve this issue on our branch office's that only have a Cisco ASA 5505 Security Applience?
Sorry, I didn't find any other solution for this scenario than to set our internal DNS-servers as primary and our ISP's DNS-servs as secondary.
It works, but I'm not happy with it.
So if you can figure out a better solution, please keep me updated
Cisco ASA can do DNS 'doctoring', also DNS inspections, but for that it expects already formed DNS queries, it as you mentioned is not capable of doing any DNS-server logic.
So at the end you'd need a separate DNS-server functionality.