Cisco 5510 as a DNS forwarder

Unanswered Question
Feb 15th, 2009

Currently i have a cisco 5510 configured as firewall. But my internal DNS is not allowed DNS forwarder hence my server and client PC can't access internet with the internal DNS configure as a primaty DNS. So, do i have any chance to configure the ASA 5510 as DNS forwarder?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

Your DNS server should query the DNS root servers or sub servers for any domain/names it does not know.

The Firewall on a basic config will allow DNS queries out to the internet, so this would indicate 2 things:-

1) Your DNS server is not setup correctly.

2) You have configured the firewall to block DNS.

Post your firwall config for review.

cisco_tools Mon, 02/16/2009 - 07:11

For you information, my company policy is to remove all the root hint on the DNS server. And add it as a additional scope in the DNS scope. For sure, once I configure to do a forwarding on my DNS server to ISP dns, my server and clients are able to surf internet. From this point, the DNS server should be configure properly. All our sub server also doing the same setting. I have posted my firewall config here for you review.

ASA Version 8.0(4)


hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted



interface Ethernet0/0

nameif outside

security-level 0

ip address


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



ftp mode passive

object-group service InternetAccess tcp

port-object eq www

port-object eq https

port-object eq imap4

port-object eq pop3

port-object eq smtp

port-object eq ftp

port-object eq ftp-data

access-list inside_access_in extended permit tcp object-group InternetAccess any object-group InternetAccess

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 netmask

nat (inside) 1

access-group inside_access_in in interface inside

route outside 1

timeout xlate 3:00:00

http server enable

http management


This Discussion