08-06-2009 06:05 AM - edited 03-04-2019 05:39 AM
Hi,
I've set up a site to site VPN to an ASA at a branch location, but the remote site also needs local/private DNS. I can't get the remote LAN to use DNS servers behind the VPN, because there's no network redundancy and if the VPN dies, the site has no DNS. On IOS you can set up DNS server with split DNS and send queries to different servers based on regular expressions (view lists, name lists). But since ASA can't act as a DNS server, the functionality is simply missing. The ASA serves DHCP for the local LAN.
Can DNS inspection on ASA be configured to match certain queries?
If that was possible, I could redirect queries for internal domains to internal DNS server. There is alwas the option to simply set up a local DNS server, but the remote office (in Asia, the HQ is in the UK) only has clients/desktops, so I'd rather try all possible options on the ASA first.
Many thanks,
Wojciech
08-06-2009 06:59 AM
If you have a group-policy set up for this site, you can specify split-dns settings under the group policy.
HTH,
John
08-06-2009 08:45 AM
Yeah but that's for VPN clients isn't it? We're talking about a site to site - and the VPN has little to do with the problem, VPN is only used as a traffic pipe. The ASA only passes the DNS server IPs to it's DHCP clients, and I want it to inspect the traffic sent to to those and if it matches certain queries, redirect it to DNS servers behind the VPN.
08-06-2009 11:07 AM
I wonder if DNS doctoring would help you in this situation. Here is one example of its use.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml
HTH
08-07-2009 05:03 AM
Not with my setup unfortunately. DNS doctoring is basically NAT on DNS A record query replies:
client => DNS server: corpweb.mycorp.com A ?
DNS server => client: corpweb.mycorp.com A 213.70.34.10
[ ASA: 213.70.34.10 => 10.10.20.5 ]
ASA => client: corpweb.mycorp.com A 10.10.20.5
- so you'd need to have very specific (or - simple) setup for this to work. In my case there is maybe 10 public servers, and more than 100 internal ones.
There is an additional 2851 on that network, but the software image has no DNS view support, and the router is also leased equipment so can't upgrade it. It would be helpful if DNS doctoring supported NS record substitution.
Oh well, you just get spoiled by ISRs over time and you keep forgetting that ASA is "only" a security appliance.
Thanks guys,
Wojciech
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide