DNS Resolution

Unanswered Question
Jan 8th, 2010

Hi

I need local DNS Server to resolve Internet address for LAN users.

what steps are neeed on ASA to get it working.

DNS Server IP : 10.10.10.100/24

Core_Switch : Multiple VLANS  and it has a statis route ( ip route 0.0.0.0 0.0.0.0 192.168.1.10 ) poinint to firewall

Firewall_IP : 192.168.1.10

VLANS

Vlan5

ip address 10.10.10.1 255.255.255.0

Vlan6

ip address 192.168.1.1 255.255.255.0

Vlan7

description user_vlan

ip address 10.100.200.1 255.255.252.0

Do I need to have a static NAT with public IP to make it working and what more steps are needed on ASA.

Thanks

ST

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe B Danford Fri, 01/08/2010 - 12:05

How do your internal users get a IP address? What do they receive as a DNS server. The ASA, depending on the config might only need an access-list entry and a translation. You dont need a public address for this. Can you post your config?

saquib.tandel Fri, 01/08/2010 - 21:45

Hi,

We have One winows 2003 Domain controller acting as Dhcp and Dns for LAN Users.

Users get IP address and DNS from this Server.

On ASA I have inside, outside and a static NAT for OWA ( Outlook Web Access )

This static nat is private to public so anyone from outside can access Email using OWA

Dileep Sivadas ... Fri, 01/08/2010 - 23:12

You can open DNS UDP port 53 in outbound direction for your AD server and configure forwarders in the DNS server setup.

You can use the public DNS server like 8.8.8.8 by google, or well known 4.2.2.2 or open DNS servers

As second option you can set up linux BIND internet caching server on your local network and configure AD DNS forwarder to that IP.

This will help to reduce load on AD and will not directly expose AD servers to internet.

Dileep

saquib.tandel Sat, 01/09/2010 - 02:01

Hi

You want on Active Directory DNS Forwarder to use 8.8.8.8 or 4.2.2.2.

After the above steps.

When I do nslookup from my PC or any other PC on LAN, i get couple of times TIME-OUT and then reply.

Is this Normal?? it happens to almost all sites.

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to amc.lan timed-out
> www.yahoo.com
Server:  amc.lan
Address:  192.168.1.11

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    www-real.wa1.b.yahoo.com
Address:  87.248.113.14
Aliases:  www.yahoo.com
          www.wa1.b.yahoo.com

francisco_1 Sat, 01/09/2010 - 05:52

saquib,

Are you able to browse the internet?

I see you are getting Non-authoritative answer: The first thing that you need to understand about NSLOOKUP is that when you use the NSLOOKUP command, it assumes that you are querying a local domain on your private network. You can query an external domain in your case yahoo.com, but NSLOOKUP will try to search for the domain internally first. For example, the yahoo.com domain is external to your network. Non-authoritative answer is when NSLOOKUP queries an external domain.

Couple of things to check on your DNS server to get you to browse the internet via your Internal DNS server.

1, make sure your DNS Forwarders are configured correctly. You should be using your ISP DNS servers as forwarders. Contact you ISP to get details.

2, Make sure you have the reverse lookup zone configured correctly, and enable it to accept dynamic updates

3, Please Post ipconfig /all for your DNS server and one of your PC. - Your DNS server should have itslef as DNS server and your host PC's should also have your internal DNS server as their DNS server.

4, Can the server access the internet? Is this the only server in the domain or are there other dc's. Also are they all windows DNS.

Also you do not need to open any port or make any inbound NAT change on you FW to your inside DNS server. Just make sure DNS is permitted outbound.


You can also check out this which is a useful checklist for starters,
HOW TO: Configure DNS for Internet Access in Windows
http://support.microsoft.com/default.aspx?scid=kb;EN-US;300202

Hope that helps

francisco

saquib.tandel Sat, 01/09/2010 - 06:50

Hi

I am able to browse internet but very slow

when I do nslookup, i  get timeout 5/3 attempts, this could cause slow browsing, I suspect??

Dileep Sivadas ... Sun, 01/10/2010 - 22:36

Can  update the root Hint , by using copy from server option in DNS server properties.

Also make sure that you have configured forwarders in all your DNS server.

I have second setup mentioned in earlier post,  and do not have any issue with DNS external query.

Keep in mind that for each new domain query DNS server should get replay from external servers, so that first query it will take more time compared to successive queries.

Timeout also casue by external DNS server issues, try to use other servers.

Actions

This Discussion