10-25-2013 10:21 AM - edited 03-11-2019 07:56 PM
hi all,
i tried to configure another DNS server group (DNS_SERVER) on my 5505 but it doesn't work.
but DNS translation works when i configured it under DefaultDNS.
could someone englighten me why is this so?
ASA5505# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/32/50 ms
ASA5505# ping www.cisco.com
^
ERROR: % Invalid Hostname
ASA5505# sh run dns
dns domain-lookup inside
dns domain-lookup outside
DNS server-group DNS_SERVER
name-server 8.8.8.8
name-server 4.2.2.2
DNS server-group DefaultDNS
domain-name home.com
ASA5505(config)# no DNS server-group DefaultDNS
ERROR: dns server-group <DefaultDNS> is in use by tunnel-group <DefaultL2LGroup>. Please remove the relevant configuration before removing the dns server-group.
ASA5505(config)# DNS server-group DefaultDNS
ASA5505(config-dns-server-group)# name-server 8.8.8.8
ASA5505(config-dns-server-group)# name-server 4.2.2.2
ASA5505(config-dns-server-group)# end
ASA5505# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.58.16.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/70 ms
10-25-2013 11:04 AM
Hi,
I did have to deal with a problem a bit related to this a week ago but the thing you are asking I have not tried so I did some quick tests on my own ASA.
It seems to me that all the Default "tunnel-group" holds this "dns server-group DefaultDNS" in them so I went and configured a dummy "dns server-group" and changed it to all the "tunnel-group". I then tried to remove the "dns server-group DefaultDNS". It accepts the command but does nothing. As in it doesnt remove the "DefaultDNS"
I then checked the Command Reference but it doesnt provide much help with regards to giving specific information about this command "dns server-group". It just states that the "DefaultDNS" is the default setting. It does seem to sugges that configuring "dns server-group" would be solely meant for VPN purposes and this was actually what I was dealing with a week ago.
Here is the Command Reference section from the latest version
dns server-group
To specify the domain name, name server, number of retries, and timeout values for a DNS server to use for a tunnel group, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this command.
dns server -group name
no dns server-group
Syntax Description
name | Specifies the name of the DNS server group configuration to use for the tunnel group. |
I was trying to set different "dns server-group" with the command "dns-group" under the "tunnel-group
I also checked the CCNP Security certification book about this subject and it doesnt shed any more light to this subject. It only goes to mention that the "dns server-group DefaultDNS" is the default one that ASA uses. No source doesnt seem to bother to mention that this seems to be the only option/source if you want to use "dns domain-lookup
So until I find some document to say otherwise I would have to guess that "dns server-group DefaultDNS" is the only option to use for the ASA to do DNS Lookups unless you are going to use the a NON default "dns server-group" with a WebVPN/Clientless VPN setup
But dont take my word for it. The above is just the things I have run into in the past couple of weeks.
By the way, if you want to see where the "dns server-group DefaultDNS" is used you can use the command
show run all tunnel-group
or perhaps
show run all tunnel-group | inc tunnel-group|dns
Probably not much help to you but thought I'd share what I have seen so far.
- Jouni
10-25-2013 11:32 AM
Jouni,
Thanks for your feedback and testing it out! It seem I'm stuck using the default DNS setup. If I remember correctly, I've tested using another DNS group to be working in GNS3.
I also didn't find this stated in FIREWALL course (not 100% sure).
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: