Today I had a client call and tell me that their domain controllers could not resolve DNS out to the internet. They were looking at the syslog of the ASA and saw it blocking their servers outbound on DNS. I looked at it and didn't see anything and they said everything was fine. They have a MARS, so I looked in their and found that the domain controllers had been blocked outbound for DNS. The ACL is on the inside interface allowing those two servers outbound for DNS and it's above any deny rule. It's like the ASA built a dynamic ACL rule and started blocking those servers from resolving DNS. I have never had this happen before in all the installs of the ASA's. The device is running 8(0)4.
TIA for any help/ideas.