Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2740
Views
5
Helpful
4
Replies

ASA DNS resolution against DNS server on the other end of a VPN tunnel

PerformanceServices
Level 1
Level 1

‎03-31-2015 08:52 AM

All,

I'm trying to determine what I am doing wrong. I have a remote site with an IPSEC tunnel handled by an ASA 5505 running latest code 9.2(3). When I try to enable DNS resolution on the remote ASA against DNS servers here at the main office, name resolution fails. I enabled DNS resolution on interface inside (which is usually the interface I enable when I want to route traffic through the tunnel).

 

When I enable debug on DNS, I get:

DNS: DNS is not Enabled on interface vPifNum=3 for nameserver ip=***.***.***.***

 

It would not have occurred to me that resolving DNS on the ASA over the tunnel would not be supported. Am I just configuring things incorrectly? I can enable DNS on interface outside, but then it routes the traffic over the Internet which is not want I want. I also tried enabling and disabling DNS inspection in the global policy.

dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.***.***
 name-server 192.168.***.***
 domain-name ************.local

 

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎03-31-2015 03:34 PM

I',m not sure if I really understand your topology. But for DNS-lookup, the command "dns domain-lookup" has to be enabled on the interface(es) over that your DNS-servers are reachable. In your case it's the interface that routes to 192.168.***.***.

For the remote-ASA, these dns-queries would be send from the outside IP of the ASA. To reach your internal HQ-DNS, your crypto-ACL has to include the traffic from the public IP of the remote ASA to your HQ-network.

Or another solution would be to place a DNS resolver into the branch network and send the dns-queries to that system.

PerformanceServices
Level 1
Level 1
In response to Karsten Iwen

‎04-01-2015 06:09 AM

OK, thanks. I will experiment with adding the public IP into the tunnel and changing the NAT settings on another site that is closer and safer to mess with, and then I can replicate the solution to the problem site if it solves the issue. Why is it that other ASA services that are bound to the inside interface are able to route through the tunnel, but not DNS? Just curious.

0 Helpful

rizwanr74
Level 7
Level 7

‎03-31-2015 05:06 PM

Hi there,

 

Your main-office dns-server also part of the encryption domain between two ASAs?

 

0 Helpful

PerformanceServices
Level 1
Level 1
In response to rizwanr74

‎04-01-2015 05:59 AM

Yes, and other services on these same two servers here at the main office are accessed through the tunnel by this ASA. For example, secure LDAP for admin console authentication.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents