DNS Resolution

Unanswered Question
Jan 8th, 2010
User Badges:


I need local DNS Server to resolve Internet address for LAN users.

what steps are neeed on ASA to get it working.

DNS Server IP :

Core_Switch : Multiple VLANS  and it has a statis route ( ip route ) poinint to firewall

Firewall_IP :



ip address


ip address


description user_vlan

ip address

Do I need to have a static NAT with public IP to make it working and what more steps are needed on ASA.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe B Danford Fri, 01/08/2010 - 12:05
User Badges:
  • Cisco Employee,

How do your internal users get a IP address? What do they receive as a DNS server. The ASA, depending on the config might only need an access-list entry and a translation. You dont need a public address for this. Can you post your config?

saquib.tandel Fri, 01/08/2010 - 21:45
User Badges:


We have One winows 2003 Domain controller acting as Dhcp and Dns for LAN Users.

Users get IP address and DNS from this Server.

On ASA I have inside, outside and a static NAT for OWA ( Outlook Web Access )

This static nat is private to public so anyone from outside can access Email using OWA

Dileep Sivadas ... Fri, 01/08/2010 - 23:12
User Badges:

You can open DNS UDP port 53 in outbound direction for your AD server and configure forwarders in the DNS server setup.

You can use the public DNS server like by google, or well known or open DNS servers

As second option you can set up linux BIND internet caching server on your local network and configure AD DNS forwarder to that IP.

This will help to reduce load on AD and will not directly expose AD servers to internet.


saquib.tandel Sat, 01/09/2010 - 02:01
User Badges:


You want on Active Directory DNS Forwarder to use or

After the above steps.

When I do nslookup from my PC or any other PC on LAN, i get couple of times TIME-OUT and then reply.

Is this Normal?? it happens to almost all sites.

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to amc.lan timed-out
> www.yahoo.com
Server:  amc.lan

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    www-real.wa1.b.yahoo.com
Aliases:  www.yahoo.com

francisco_1 Sat, 01/09/2010 - 05:52
User Badges:
  • Gold, 750 points or more


Are you able to browse the internet?

I see you are getting Non-authoritative answer: The first thing that you need to understand about NSLOOKUP is that when you use the NSLOOKUP command, it assumes that you are querying a local domain on your private network. You can query an external domain in your case yahoo.com, but NSLOOKUP will try to search for the domain internally first. For example, the yahoo.com domain is external to your network. Non-authoritative answer is when NSLOOKUP queries an external domain.

Couple of things to check on your DNS server to get you to browse the internet via your Internal DNS server.

1, make sure your DNS Forwarders are configured correctly. You should be using your ISP DNS servers as forwarders. Contact you ISP to get details.

2, Make sure you have the reverse lookup zone configured correctly, and enable it to accept dynamic updates

3, Please Post ipconfig /all for your DNS server and one of your PC. - Your DNS server should have itslef as DNS server and your host PC's should also have your internal DNS server as their DNS server.

4, Can the server access the internet? Is this the only server in the domain or are there other dc's. Also are they all windows DNS.

Also you do not need to open any port or make any inbound NAT change on you FW to your inside DNS server. Just make sure DNS is permitted outbound.

You can also check out this which is a useful checklist for starters,
HOW TO: Configure DNS for Internet Access in Windows

Hope that helps


saquib.tandel Sat, 01/09/2010 - 06:50
User Badges:


I am able to browse internet but very slow

when I do nslookup, i  get timeout 5/3 attempts, this could cause slow browsing, I suspect??

Dileep Sivadas ... Sun, 01/10/2010 - 22:36
User Badges:

Can  update the root Hint , by using copy from server option in DNS server properties.

Also make sure that you have configured forwarders in all your DNS server.

I have second setup mentioned in earlier post,  and do not have any issue with DNS external query.

Keep in mind that for each new domain query DNS server should get replay from external servers, so that first query it will take more time compared to successive queries.

Timeout also casue by external DNS server issues, try to use other servers.


This Discussion