ASA VPN DNS Issues

Unanswered Question
Apr 6th, 2009
User Badges:

Our ASA VPN clients are connecting and everything is working fine except that a large number of users are using two DNS servers that I want to decommission. While the ASA access-list allows the DNS traffic, neither one is configured to hand them out as DNS resolvers for VPN clients. These are not casual nslookups or digs either. For instance, there are hundreds of Active Directory SRV record queries.


I have a need to stop them from using these two DNS servers ASAP because it's holding up a project of mine to decomission them.


First, does anyone know how a user can override the VPN supplied DNS servers? I tried a few things and failed.


Second, is there a way to force users to only use the ones configured on the ASA's?


Last, if all else fails, can I create a static translation on the ASA to redirect the queries from these two servers to two other servers? I haven't found anything on CCO that says I can't create a static but I haven't found anything that says I can either.


Any help would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 04/08/2009 - 06:30
User Badges:
  • Cisco Employee,

The only way to prevent them to use those DNS servers, as far as I can see, is:


1. change the dns server settings on the group policy and remove those.


2. define a vpn filter on the group policy to filter udp 53 to those specific hosts.

sgamer Wed, 04/08/2009 - 07:05
User Badges:

Thanks and that's the conclusion I have come to after looking at the configuration. However I am hesitant to block it until I understand it as these are very important users and I don't want to be the guy to cause them any problems.


Just to clarify, the two DNS servers in question were never configured in a group policy but somehow users are overriding the group policy settings.


A little more history is that the users in question had an Altiris push to hard code the two DNS servers in question for their LAN interfaces. The push shouldn't have touched the VPN interfaces but who knows? I was unable to easily hard code them on the Cisco VPN interfaces without also changing the IP address configuration which showed up as being hardcoded to 0.0.0.0. Maybe I'll play around with that today to at least understand how they are getting past the VPN group policy settings.

Ivan Martinon Wed, 04/08/2009 - 07:11
User Badges:
  • Cisco Employee,

Well truth is that if there is no dns server pushed via the vpn attributes then the client will use the ones on the LAN. So if these dns servers were there and the vpn server does not send any other server ip it will use the ones on the LAN

sgamer Wed, 04/08/2009 - 08:21
User Badges:

Ah ha! That might align with a theory of mine. We do and always have had the two correct DNS servers configured in the default policy which I understand will be used by every other policy that doesn't have an explicit configuration for other servers. We do not have any other explicit DNS policies.


Based on traces from past issues we've found that (at least our Microsoft workstation build) only waits about a second before resending a query to the next server in line.


There would be frequent queries that would take longer than two seconds to resolve such as Internet queries that have not been cached and bogus queries which there will be no answer unless the domain is valid.


Do you think it would it be possible that the VPN users are sending queries to both of the VPN configured servers and then, when they don't get a timely response, send the query to the DNS servers configured on the LAN interfaces?


Ivan Martinon Wed, 04/08/2009 - 08:30
User Badges:
  • Cisco Employee,

That's most likely to happen, so here it how it works.


If group policy has specific dns servers, those are pushed to the client

If no dns servers (atts) are defined on the particular policy, but defined on the default policy, those are pushed to the client

If there are not atts defined on any policy, then it should not inject any att to the vpn connection and instead use the local lan adapters setup.

sgamer Wed, 04/08/2009 - 08:42
User Badges:

Thanks and if I understand correctly, we are on the same page. I am going to do some testing to verify what we've discussed.


sgamer Wed, 04/15/2009 - 15:44
User Badges:

I got some very interesting results. I hard coded my DNS servers on my LAN interface and connected via the VPN. I then tried various methods of overriding the VPN DNS configuration and was not successful.


Interesting to me was that I changed the destination server in NSLOOKUP and sent some queries. The queries resolved properly but the snoop I was running on the Unix DNS server showed that I had not made any queries to it at all. I tested the snoop by pinging the server which proved I wasn't doing something wrong.


My only conclusion is that the ASA redirected my DNS query to one of two (or both) of the DNS servers configured in the policy.


This has me perplexed because I manage our DNS and if I direct a query to a particular server I need to know if the server is responding or not. Had I not done this test I would not have known that the Cisco VPN is of limited usefullness to me for DNS troubleshooting, at least for DNS queries sent directly from the VPN client workstation.


Is this the behavior you would expect?

Actions

This Discussion