Local DNS Cannot resolve Internet-host

Answered Question
Oct 16th, 2009


I have local DNS Server and needs to resolve internet address on behalf of local users.

what steps are needed on Firewall.

LAN users points to local DNS Server for name-resolving

On ASA I have static NAT for local DNS Server with Public IP and

on Inside ACL I allowed udp port 53, on Outside ACL also allowed udp port 53.

It doesnt seems to work, AM I missing some config still

I have this problem too.
0 votes
Correct Answer by Collin Clark about 7 years 3 months ago

I don't have a way to test, but I think this will work to restrict the NAT to just DNS.

access-list dns-nat extended permit udp host any eq domain

nat (inside) 2 access-list dns-nat

Here's a link for configuring QoS on the ASA.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Collin Clark Fri, 10/16/2009 - 12:42

You don't need the static NAT (unless internet people contact this server for resolving your domain) and the outside ACL permitting UDP/53. Check your log when you do a DNS query and see if there is anything in there (post it if you like). Also x2 the ACL applied on the inside interface or post it if you have any doubts. Finally check the DNS inspection. The default is 512 which can be too small. Increase it to something like 1024.

policy-map type inspect dns preset_dns_map


message-length maximum 1024

Hope this helps.

Amin Shaikh Fri, 10/16/2009 - 13:09


I have attached the ASA config.

DNS ServerIP:

From ASA I am able to ping DNS SERVER

and vice-versa.

We dont want LANusers to access internet using this link, so we have ACL on INSIDE.

I do have SMTP traffic from inside to outside and vice-versa working OK.

What is the command to apply name-server on ASA, so i can test name-resolution on ASA.(only for troubleshooting)

Collin Clark Fri, 10/16/2009 - 13:16

One thing I noticed is your outgoing NAT-

nat (INSIDE) 2

This only allows 1 host to NAT, Your DNS server should be added, so it can NAT.

nat (INSIDE) 2

Amin Shaikh Sat, 10/17/2009 - 01:27

After addding it works. With NAT everthing is allowed from this host

How can I restrict this statement

nat (INSIDE) 2

for DNS query only and need to restrict with bandwidth for 256K.

Can this be done.


This Discussion