IOS Split DNS equivalent (DNS views) for ASA - DNS query inspection?

Unanswered Question
Aug 6th, 2009
User Badges:


I've set up a site to site VPN to an ASA at a branch location, but the remote site also needs local/private DNS. I can't get the remote LAN to use DNS servers behind the VPN, because there's no network redundancy and if the VPN dies, the site has no DNS. On IOS you can set up DNS server with split DNS and send queries to different servers based on regular expressions (view lists, name lists). But since ASA can't act as a DNS server, the functionality is simply missing. The ASA serves DHCP for the local LAN.

Can DNS inspection on ASA be configured to match certain queries?

If that was possible, I could redirect queries for internal domains to internal DNS server. There is alwas the option to simply set up a local DNS server, but the remote office (in Asia, the HQ is in the UK) only has clients/desktops, so I'd rather try all possible options on the ASA first.

Many thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Thu, 08/06/2009 - 06:59
User Badges:
  • Purple, 4500 points or more

If you have a group-policy set up for this site, you can specify split-dns settings under the group policy.



wojciechowczarek Thu, 08/06/2009 - 08:45
User Badges:

Yeah but that's for VPN clients isn't it? We're talking about a site to site - and the VPN has little to do with the problem, VPN is only used as a traffic pipe. The ASA only passes the DNS server IPs to it's DHCP clients, and I want it to inspect the traffic sent to to those and if it matches certain queries, redirect it to DNS servers behind the VPN.

wojciechowczarek Fri, 08/07/2009 - 05:03
User Badges:

Not with my setup unfortunately. DNS doctoring is basically NAT on DNS A record query replies:

client => DNS server: A ?

DNS server => client: A

[ ASA: => ]

ASA => client: A

- so you'd need to have very specific (or - simple) setup for this to work. In my case there is maybe 10 public servers, and more than 100 internal ones.

There is an additional 2851 on that network, but the software image has no DNS view support, and the router is also leased equipment so can't upgrade it. It would be helpful if DNS doctoring supported NS record substitution.

Oh well, you just get spoiled by ISRs over time and you keep forgetting that ASA is "only" a security appliance.

Thanks guys,



This Discussion