Hi,

Could you let me know more about your topology and configuration?

Where is the DNS server and the server (URL which you are trying to resolve) located w.r.t the ASA?

For DNS rewrite to work properly, you must have your DNS server located across the firewall i,e., the DNS request from a machine should cross the firewall and go to another interface and then come back via the same path. This means that DNS inspection won't work if you have both the resolving client and the DNS server in the same network segment. Of course, this is in addition to DNS inspection being configured on the firewall.

As an example, let's consider the following example -

client--inside--ASA--outside--DNS server

Client tries to resolve a URL for a server on the inside network of the ASA.

The DNS query then goes through the ASA and reached the DNS server. The public DNS server on the internet responds with the public IP address of the internal server (this server is local for the client).

The DNS response packet has the public IP address of the server in its payload. The ASA intercepts this response packet to rewrite the IP in the response packet to the private IP address of the server.

The question is how the ASA understands what the private IP address of the server is?

Well, this it understands based on the static NAT configured for the internal server. Hence, it is also required that the NAT be enabled with DNS keyword for rewrite to work.

Please check if your scenario satisfies all these requirements.