cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
497
Views
0
Helpful
4
Replies

IOS Split DNS equivalent (DNS views) for ASA - DNS query inspection?

Hi,

I've set up a site to site VPN to an ASA at a branch location, but the remote site also needs local/private DNS. I can't get the remote LAN to use DNS servers behind the VPN, because there's no network redundancy and if the VPN dies, the site has no DNS. On IOS you can set up DNS server with split DNS and send queries to different servers based on regular expressions (view lists, name lists). But since ASA can't act as a DNS server, the functionality is simply missing. The ASA serves DHCP for the local LAN.

Can DNS inspection on ASA be configured to match certain queries?

If that was possible, I could redirect queries for internal domains to internal DNS server. There is alwas the option to simply set up a local DNS server, but the remote office (in Asia, the HQ is in the UK) only has clients/desktops, so I'd rather try all possible options on the ASA first.

Many thanks,

Wojciech

4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

If you have a group-policy set up for this site, you can specify split-dns settings under the group policy.

HTH,

John

HTH, John *** Please rate all useful posts ***

Yeah but that's for VPN clients isn't it? We're talking about a site to site - and the VPN has little to do with the problem, VPN is only used as a traffic pipe. The ASA only passes the DNS server IPs to it's DHCP clients, and I want it to inspect the traffic sent to to those and if it matches certain queries, redirect it to DNS servers behind the VPN.

I wonder if DNS doctoring would help you in this situation. Here is one example of its use.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968d1.shtml

HTH

Not with my setup unfortunately. DNS doctoring is basically NAT on DNS A record query replies:

client => DNS server: corpweb.mycorp.com A ?

DNS server => client: corpweb.mycorp.com A 213.70.34.10

[ ASA: 213.70.34.10 => 10.10.20.5 ]

ASA => client: corpweb.mycorp.com A 10.10.20.5

- so you'd need to have very specific (or - simple) setup for this to work. In my case there is maybe 10 public servers, and more than 100 internal ones.

There is an additional 2851 on that network, but the software image has no DNS view support, and the router is also leased equipment so can't upgrade it. It would be helpful if DNS doctoring supported NS record substitution.

Oh well, you just get spoiled by ISRs over time and you keep forgetting that ASA is "only" a security appliance.

Thanks guys,

Wojciech

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: