DNS Forwarding on ASA 5505

GrootLives · ‎02-05-2016

I found this article on tricking an ASA 5505 to forward DNS requests, in effect making it a DNS server.

http://herdingpackets.net/2014/02/20/faking-an-asa-as-a-dns-forwarder/

object network Google-DNS-8.8.4.4
  host 8.8.4.4
  nat (outside,inside) static interface service udp domain domain

And I was able to adapt it to do NTP requests, in effect making the ASA act as a NTP server. Now I'm trying to get this to work on another box that has had PAT disabled globally with the following command:

object network obj_any
  no nat (inside,outside) dynamic interface

On this box it breaks completely. The forwarding trick does not work. There must be another step I am missing to make it work for just for the protocol I want.

Philip D'Ath · ‎02-05-2016

Why not just let the clients use NTP to a proper NTP server on the Internet? Ditto with DNS?

GrootLives · ‎02-10-2016

Sometimes you just want to fix the ASA deficiencies rather than continue to work around them.

The nice thing about simply "passing on" requests is you can point it elsewhere in the future by making one change in one place (on the box). If you are using DHCP you use that as a mechanism to push out various values but in an environment where DHCP is not used you either have to configure every single device with the changes OR if everything is pointing at the box, make one change on the box. But that would make life easy. And who would want that lol.

Regardless the question wasn't "do you agree with my doing this?". The question was "do you know how to do this?"