Suppose you have an ASA with multiple connections to the Internet, and that some of your hosts on your inside networks will typically use one Internet connection, while other hosts will typically use the second connection. In such a scenario, is there a way to configure the ASA to always query both ISP1 and ISP2's DNS servers to resolve FQDN's in the ACL's on the ASA? It seems to me like the ASA will only try to use a single DNS server to resolve FQDN's; if the query succeeds, it doesn't query any additional name servers. However, if a host on one of my internal networks receives a different IP address for a DNS query than the ASA received, then the ACL won't match the outgoing packet, and the ASA will reject the traffic.
For example, suppose I have the following (partial) config on my ASA:
object network INSIDE1-SUBNET
subnet 10.0.1.0 255.255.255.0
object network FOOBAR
access-list INSIDE1-IN extended permit tcp object INSIDE1-SUBNET object FOOBAR eq 80
access-list INSIDE1-IN extended deny ip any any
If a host on my INSIDE1-SUBNET queries ISP1's DNS server for host foo.bar.com and gets 172.16.10.80 for the IP address, but the ASA is using ISP2's DNS server and gets 172.17.10.80 for the IP address (which can happen with DNS round robin, cached services, etc.), then my ACL will deny the traffic, since 172.16.10.80 != 172.17.10.80.
There are a number of reasons why I can't simply have all of the hosts use the same DNS servers as the ASA, which I have omitted for the sake of brevity. Assuming that I cannot break this constraint (it's a management decision well above my pay grade), how can I resolve this problem?
... View more