Friday, December 2, 2016

Using Cisco ASA NAT to Translate Outbound DNS Lookups to OpenDNS

So you have decided to use Cisco Umbrella or OpenDNS as your recursive DNS. Good choice! You update your internal DNS servers to point to 208.67.222.222.

All done, right?

Then you check your firewall logs and notice there are devices sending DNS queries directly to public DNS servers. How can you force those devices to use 208.67.222.222?

With NAT!

First you need to identify which external DNS servers are being used. Then you need to NAT DNS requests to those external DNS servers to the OpenDNS server.


ASA configuration:

object network Google-DNS
 host 8.8.8.8
!
object network Comcast-DNS
 host 75.75.75.75
!
object network OpenDNS
 host 208.67.222.222
!
object service DNS-UDP
 service udp destination eq domain
!
object service DNS-TCP
 service tcp destination eq domain
!
object-group network DNS-NOT-2-USE
 network-object object Comcast-DNS
 network-object object Google-DNS
!
nat (inside,outside) source static any interface destination static DNS-NOT-2-USE OpenDNS service DNS-UDP DNS-UDP
nat (inside,outside) source static any interface destination static DNS-NOT-2-USE OpenDNS service DNS-TCP DNS-TCP



For more information on Cisco Umbrella visit https://umbrella.cisco.com/