For you information, my company policy is to remove all the root hint on the DNS server. And add it as a additional scope in the DNS scope. For sure, once I configure to do a forwarding on my DNS server to ISP dns, my server and clients are able to surf internet. From this point, the DNS server should be configure properly. All our sub server also doing the same setting. I have posted my firewall config here for you review.
ASA Version 8.0(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 58.185.93.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.0.105 255.255.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object-group service InternetAccess tcp
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
port-object eq ftp
port-object eq ftp-data
access-list inside_access_in extended permit tcp 172.16.0.0 255.255.0.0 object-group InternetAccess any object-group InternetAccess
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 172.16.0.0 255.255.0.0 any
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 58.185.93.19 netmask 255.0.0.0
nat (inside) 1 172.16.0.0 255.255.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 58.185.93.17 1
timeout xlate 3:00:00
http server enable
http 192.168.1.0 255.255.255.0 management
