Can ASA be a DNS server?

the answer is yes & no. Although the ASA will never be acting as a real DNS server, you can still apply a little trick with NAT that would make the ASA to result as your hosts DNS server.

What is DNS doctoring on ASA?

Cisco DNS doctoring is a process that intercepts a DNS response packet as it comes back into the network, and changes the IP address in the response.

How does ASA FQDN work?

Introduction. Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works by the ASA resolving the IP of the FQDN via DNS which it then stores within its cache. Traffic is then either denied or permitted accordingly.

How configure DNS Cisco ASA?


  1. On the Devices & Services page, select all the ASAs on which you want to configure DNS.
  2. Click Command Line Interface .
  3. Click the CLI macro favorites star .
  4. Click the Configure DNS macro in the Macros panel.
  5. Click >_View Parameters and in the parameters column, fill in the values for these parameters:

How do I find DNS in ASA firewall?

How to Enable DNS Lookups on Cisco ASA5500

  1. Connect to the ASA, log in and go to enable mode, and then global configuration mode.
  2. Now if you have corporate DNS server on your LAN you might prefer to use those, so you would use ‘inside’ as opposed to ‘outside’.

What is FQDN example?

The FQDN consists of two parts, the hostname and the domain name. For example, an FQDN for a hypothetical mail server might be . The hostname is mail , and the host is located within the domain .

How do I find my DNS ASA?

Provided the DNS servers are contactable, you can issue the ping command with a website url and you will see the resolution. It is possible to gain further insight with the debug dns resolver command. The ASDM configuration window resides at Configuration > Device Management > DNS > DNS Client.

What is DNS port used for?

The DNS uses TCP Port 53 for zone transfers, for maintaining coherence between the DNS database and the server. The UDP protocol is used when a client sends a query to the DNS server. The TCP protocol should not be used for queries as it gives a lot of information, which is useful to attackers.

How do I enable DNS?


  1. Go to the Control Panel.
  2. Click Network and Internet > Network and Sharing Center > Change adapter settings.
  3. Select the connection for which you want to configure Google Public DNS.
  4. Select the Networking tab.
  5. Click Advanced and select the DNS tab.
  6. Click OK.
  7. Select Use the following DNS server addresses.

What is difference between FQDN and DNS?

A fully qualified domain name (FQDN), sometimes also referred to as an absolute domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). However, in some cases the full stop (period) character is required at the end of the fully qualified domain name.

Why does the ASA send out DNS queries?

The ASA however knows that it has 4 FQDN objects and that any of the FQDN objects could possibly be resolved to the concerned IP. Hence the ASA sends out DNS queries for all the FQDN objects as it doesn’t know which FQDN object may resolve to the concerned IP. (This is why there are multiple DNS queries being observed).

What is the IP address of the ASA server?

The NAT rule will untranslate any returning traffic from Google DNS IP address on port 53/udp on the ASA outside interface to be the IP address of the ASA inside interface which is

How does Cisco ASA permit or deny traffic?

This feature works by the ASA resolving the IP of the FQDN via DNS which it then stores within its cache. Traffic is then either denied or permitted accordingly. Within this article will look at the configuration, caveats and some of the key commands required for troubleshooting.

How does the DNS server resolve the FQDN object?

The DNS server resolves the FQDN objects with their corresponding IP addresses. The FQDN object should get resolved to the same public IP address as was resolved by the client. Otherwise, the ASA creates a dynamic access-list entry for a different IP address than the one that the client tries to reach, hence the ASA ends up dropping the packet.