Our ASA VPN clients are connecting and everything is working fine except that a large number of users are using two DNS servers that I want to decommission. While the ASA access-list allows the DNS traffic, neither one is configured to hand them out as DNS resolvers for VPN clients. These are not casual nslookups or digs either. For instance, there are hundreds of Active Directory SRV record queries.
I have a need to stop them from using these two DNS servers ASAP because it's holding up a project of mine to decomission them.
First, does anyone know how a user can override the VPN supplied DNS servers? I tried a few things and failed.
Second, is there a way to force users to only use the ones configured on the ASA's?
Last, if all else fails, can I create a static translation on the ASA to redirect the queries from these two servers to two other servers? I haven't found anything on CCO that says I can't create a static but I haven't found anything that says I can either.
Any help would be greatly appreciated.