Our ASA VPN clients are connecting and everything is working fine except that a large number of users are using two DNS servers that I want to decommission. While the ASA access-list allows the DNS traffic, neither one is configured to hand them out as DNS resolvers for VPN clients. These are not casual nslookups or digs either. For instance, there are hundreds of Active Directory SRV record queries.
I have a need to stop them from using these two DNS servers ASAP because it's holding up a project of mine to decomission them.
First, does anyone know how a user can override the VPN supplied DNS servers? I tried a few things and failed.
Second, is there a way to force users to only use the ones configured on the ASA's?
Last, if all else fails, can I create a static translation on the ASA to redirect the queries from these two servers to two other servers? I haven't found anything on CCO that says I can't create a static but I haven't found anything that says I can either.
Thanks and that's the conclusion I have come to after looking at the configuration. However I am hesitant to block it until I understand it as these are very important users and I don't want to be the guy to cause them any problems.
Just to clarify, the two DNS servers in question were never configured in a group policy but somehow users are overriding the group policy settings.
A little more history is that the users in question had an Altiris push to hard code the two DNS servers in question for their LAN interfaces. The push shouldn't have touched the VPN interfaces but who knows? I was unable to easily hard code them on the Cisco VPN interfaces without also changing the IP address configuration which showed up as being hardcoded to 0.0.0.0. Maybe I'll play around with that today to at least understand how they are getting past the VPN group policy settings.
Well truth is that if there is no dns server pushed via the vpn attributes then the client will use the ones on the LAN. So if these dns servers were there and the vpn server does not send any other server ip it will use the ones on the LAN
Ah ha! That might align with a theory of mine. We do and always have had the two correct DNS servers configured in the default policy which I understand will be used by every other policy that doesn't have an explicit configuration for other servers. We do not have any other explicit DNS policies.
Based on traces from past issues we've found that (at least our Microsoft workstation build) only waits about a second before resending a query to the next server in line.
There would be frequent queries that would take longer than two seconds to resolve such as Internet queries that have not been cached and bogus queries which there will be no answer unless the domain is valid.
Do you think it would it be possible that the VPN users are sending queries to both of the VPN configured servers and then, when they don't get a timely response, send the query to the DNS servers configured on the LAN interfaces?
I got some very interesting results. I hard coded my DNS servers on my LAN interface and connected via the VPN. I then tried various methods of overriding the VPN DNS configuration and was not successful.
Interesting to me was that I changed the destination server in NSLOOKUP and sent some queries. The queries resolved properly but the snoop I was running on the Unix DNS server showed that I had not made any queries to it at all. I tested the snoop by pinging the server which proved I wasn't doing something wrong.
My only conclusion is that the ASA redirected my DNS query to one of two (or both) of the DNS servers configured in the policy.
This has me perplexed because I manage our DNS and if I direct a query to a particular server I need to know if the server is responding or not. Had I not done this test I would not have known that the Cisco VPN is of limited usefullness to me for DNS troubleshooting, at least for DNS queries sent directly from the VPN client workstation.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...