I did have to deal with a problem a bit related to this a week ago but the thing you are asking I have not tried so I did some quick tests on my own ASA.
It seems to me that all the Default "tunnel-group" holds this "dns server-group DefaultDNS" in them so I went and configured a dummy "dns server-group" and changed it to all the "tunnel-group". I then tried to remove the "dns server-group DefaultDNS". It accepts the command but does nothing. As in it doesnt remove the "DefaultDNS"
I then checked the Command Reference but it doesnt provide much help with regards to giving specific information about this command "dns server-group". It just states that the "DefaultDNS" is the default setting. It does seem to sugges that configuring "dns server-group" would be solely meant for VPN purposes and this was actually what I was dealing with a week ago.
Here is the Command Reference section from the latest version
To specify the domain name, name server, number of retries, and timeout values for a DNS server to use for a tunnel group, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this command.
dns server -group name
no dns server-group
Specifies the name of the DNS server group configuration to use for the tunnel group.
I was trying to set different "dns server-group" with the command "dns-group" under the "tunnel-group webvpn-attributes" but essentially what happened was that the ASA would not use anything but the "dns server-group DefaultDNS". I suspect that this is related to me using the default "tunnel-group" for all incoming WebVPN Clientless connections and therefore the only option is to use the "dns server-group DefaultDNS" so I had to scrap that idea for now (cant have the same "dns server-group" for all the users which need to use the default "tunnel-group"). Though I have not been able to go ahead with that setup because of some other issues that have to be resolved first.
I also checked the CCNP Security certification book about this subject and it doesnt shed any more light to this subject. It only goes to mention that the "dns server-group DefaultDNS" is the default one that ASA uses. No source doesnt seem to bother to mention that this seems to be the only option/source if you want to use "dns domain-lookup " on the ASA to resolve name-to-ip.
So until I find some document to say otherwise I would have to guess that "dns server-group DefaultDNS" is the only option to use for the ASA to do DNS Lookups unless you are going to use the a NON default "dns server-group" with a WebVPN/Clientless VPN setup
But dont take my word for it. The above is just the things I have run into in the past couple of weeks.
By the way, if you want to see where the "dns server-group DefaultDNS" is used you can use the command
show run all tunnel-group
show run all tunnel-group | inc tunnel-group|dns
Probably not much help to you but thought I'd share what I have seen so far.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :