Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

DNS on ASA 5505

hi all,

i tried to configure another DNS server group (DNS_SERVER) on my 5505 but it doesn't work.

but DNS translation works when i configured it under DefaultDNS.

could someone englighten me why is this so?

ASA5505# ping

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/50 ms

ASA5505# ping


ERROR: % Invalid Hostname

ASA5505# sh run dns

dns domain-lookup inside

dns domain-lookup outside

DNS server-group DNS_SERVER



DNS server-group DefaultDNS


ASA5505(config)# no DNS server-group DefaultDNS

ERROR: dns server-group <DefaultDNS> is in use by  tunnel-group <DefaultL2LGroup>. Please remove the relevant  configuration before removing the dns server-group.

ASA5505(config)# DNS server-group DefaultDNS

ASA5505(config-dns-server-group)# name-server

ASA5505(config-dns-server-group)# name-server

ASA5505(config-dns-server-group)# end

ASA5505# ping

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:


Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/70 ms

Everyone's tags (3)
Super Bronze

Re: DNS on ASA 5505


I did have to deal with a problem a bit related to this a week ago but the thing you are asking I have not tried so I did some quick tests on my own ASA.

It seems to me that all the Default "tunnel-group" holds this "dns server-group DefaultDNS" in them so I went and configured a dummy "dns server-group" and changed it to all the "tunnel-group". I then tried to remove the "dns server-group DefaultDNS". It accepts the command but does nothing. As in it doesnt remove the "DefaultDNS"

I then checked the Command Reference but it doesnt provide much help with regards to giving specific information about this command "dns server-group". It just states that the "DefaultDNS" is the default setting. It does seem to sugges that configuring "dns server-group" would be solely meant for VPN purposes and this was actually what I was dealing with a week ago.

Here is the Command Reference section from the latest version

dns server-group

To specify the domain name, name server, number of retries, and timeout  values for a DNS server to use for a tunnel group, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this command.

dns server -group name

no dns server-group

Syntax Description


Specifies the name of the DNS server group configuration to use for the tunnel group.

I was trying to set different "dns server-group" with the command "dns-group" under the "tunnel-group webvpn-attributes" but essentially what happened was that the ASA would not use anything but the "dns server-group DefaultDNS". I suspect that this is related to me using the default "tunnel-group" for all incoming WebVPN Clientless connections and therefore the only option is to use the "dns server-group DefaultDNS" so I had to scrap that idea for now (cant have the same "dns server-group" for all the users which need to use the default "tunnel-group"). Though I have not been able to go ahead with that setup because of some other issues that have to be resolved first.

I also checked the CCNP Security certification book about this subject and it doesnt shed any more light to this subject. It only goes to mention that the "dns server-group DefaultDNS" is the default one that ASA uses. No source doesnt  seem to bother to mention that this seems to be the only option/source if you want to use "dns domain-lookup " on the ASA to resolve name-to-ip.

So until I find some document to say otherwise I would have to guess that "dns server-group DefaultDNS" is the only option to use for the ASA to do DNS Lookups unless you are going to use the a NON default "dns server-group" with a WebVPN/Clientless VPN setup

But dont take my word for it. The above is just the things I have run into in the past couple of weeks.

By the way, if you want to see where the "dns server-group DefaultDNS" is used you can use the command

show run all tunnel-group

or perhaps

show run all tunnel-group | inc tunnel-group|dns

Probably not much help to you but thought I'd share what I have seen so far.

- Jouni

Re: DNS on ASA 5505


Thanks for your feedback and testing it out! It seem I'm stuck using the default DNS setup. If I remember correctly, I've tested using another DNS group to be working in GNS3.

I also didn't find this stated in FIREWALL course (not 100% sure).

Sent from Cisco Technical Support iPhone App

CreatePlease to create content