10-13-2017 03:12 AM - edited 03-08-2019 07:41 PM
Hi,
I have an ASA with below configuration:
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 4.2.2.2
object network MGMT_SERVER
host X.X.X.X
object network obj-eclipse.org
fqdn eclipse.org
object network obj-maven.apache.org
fqdn maven.apache.org
object network obj-java.com
fqdn java.com
object network obj-redhat.com
fqdn redhat.com
object-group network MGMT_FQDN
network-object object obj-eclipse.org
network-object object obj-maven.apache.org
network-object object obj-java.com
network-object object obj-redhat.com
access-list inside_access_outside extended permit tcp object MGMT_SERVER object-group MGMT_FQDN eq 443
access-list inside_access_outside extended permit tcp object MGMT_SERVER object-group MGMT_FQDN eq 80
access-list inside_access_outside extended permit udp object MGMT_SERVER host 8.8.8.8 eq domain
access-list inside_access_outside extended permit udp object MGMT_SERVER host 4.2.2.2 eq domain
The issue is, when I am resolving nslookup on my local server (MGMT_SERVER) for fqdn java.com then the resolved IP is different and my ASA resolving different IP when I check in dns-hosts. Due to this java.com is not accessible from the server.
Is there any solution for this problem.
10-20-2017 02:53 AM
12-27-2017 09:48 PM
Hi Jennifer,
DNS is same on both devices. 4.2.2.2
01-11-2018 07:24 AM
Try to use a simpler service (not java, google, facebook).
The issue with big vendors is that they use a lot of IPs. I'll get IP X, you'll get IP Y and someone else IP Z even though we're using same DNS.
So one issue is the destination domain for which there are a lot of IPs and the other with the DNS server you're using that may not cache the response and just use the TTL from the authoritative server (google has 1 min TTL.
Do a quick test and you'll see it works (or it should):
Use something like www.k.ro (an old webserver), It's only one IP.
The solution would be to use an internal DNS server because of the caching. You're in control.
- both your ASA and your station would get the same response.
I don't know about google's DNS..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide