Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Forward DNS request to External DNS

Right now we use OpenDNS for our webfiltering and have our ASA set to only allow DNS requests out to the OpenDNS servers we have configured. If any device tries to use a different DNS, like Google's, the ASA will just drop the traffic.

I know how to do this with iptables. Example;

iptables -I PREROUTING -t nat -p udp -d 8.8.4.4 --dport 53 -j DNAT --to-destination [OpenDNS server]
iptables -I PREROUTING -t nat -p udp -d 8.8.8.8 --dport 53 -j DNAT --to-destination [OpenDNS server]

Right now our network is setup with 2 internal DNS, one primary and one backup, that direct all external requests to the OpenDNS servers.

In our ASA "dns guard' is enabled and have the below set as well.

access-list acl_in extended permit tcp host 172.17.0.20 host [OpenDNS server] eq domain

access-list acl_in extended permit udp host 172.17.0.20 host [OpenDNS server] eq domain

access-list acl_in extended permit tcp host 172.17.0.20 host [OpenDNS server] eq domain

access-list acl_in extended permit udp host 172.17.0.20 host [OpenDNS server] eq domain

access-list acl_in extended permit tcp host 172.17.0.21 host [OpenDNS server] eq domain

access-list acl_in extended permit udp host 172.17.0.21 host [OpenDNS server] eq domain

access-list acl_in extended permit tcp host 172.17.0.21 host [OpenDNS server] eq domain

access-list acl_in extended permit udp host 172.17.0.21 host [OpenDNS server] eq domain

I need to be able to foreward requests for Google's DNS (8.8.8.8, 8.8.4.4) to OpenDNS. Is this possible?

Everyone's tags (2)
2 REPLIES
Cisco Employee

Forward DNS request to External DNS

Hi Isom,

This is possible to accomplish on the ASA using static Destination NAT.  What you will do is NAT any traffic destined to Google's DNS to an Open DNS server.  An example is as follows:

object network googleDNS

host 8.8.8.8

object network OpenDNS

host 10.1.1.2

!

nat (Inside,Outside) source static any any destination static googleDNS OpenDNS

I hope it helps,


David.

New Member

Forward DNS request to External DNS

David,

Thank you responding. Can this syntax be used for ASA version pre 8.3?

Also, the OpenDNS servers are external DNS servers. I need to route request for 1 external DNS server (Google) to another external DNS server (OpenDNS).

Thanks,

Isom

876
Views
0
Helpful
2
Replies
CreatePlease login to create content