Redirecting DNS Requests to Umbrella with ASA

As networks begin leveraging intelligent DNS products, there is often a need to do some magic at the Internet edge to redirect to the target provider. Some products actually have this capability embedded. Even though the ASA doesn’t specifically have a defined configuration to do this, we can achieve the same outcome with a few simple NAT rules.

An initial thought would be to build a NAT policy as follows

//define the objects
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Umbrella1
 host 208.67.220.220
object network Umbrella2
 host 208.67.222.222
object service UDP-53
 service udp destination eq domain

//define the nat rules
nat (any,outside) source dynamic any interface destination static obj_any Umbrella1 service UDP-53 UDP-53
nat (any,outside) source dynamic any interface destination static obj_any Umbrella2 service UDP-53 UDP-53

This will sort of work. However, there are two words of caution I would share with this approach. First, DNS sometimes leverages TCP. Second, the last NAT rule will never be used. In this case, even requests to 208.67.222.222 would match the first rule and be re-written to the destination 208.67.220.220.

My recommendation would be to build the policy like the one below. This is assuming that the source of the requests should use the outside interface IP as a PAT source.

//define the objects
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Umbrella1
 host 208.67.220.220
object network Umbrella2
 host 208.67.222.222
object service UDP-53
 service udp destination eq domain
object service TCP-53
 service tcp destination eq domain

//define the nat rules 
nat (any,outside) source dynamic any interface destination static Umbrella2 Umbrella2 service UDP-53 UDP-53
nat (any,outside) source dynamic any interface destination static obj_any Umbrella1 service UDP-53 UDP-53
nat (any,outside) source dynamic any interface destination static Umbrella2 Umbrella2 service TCP-53 TCP-53
nat (any,outside) source dynamic any interface destination static obj_any Umbrella1 service TCP-53 TCP-53

It is worth noting that the order of these rules is important. If the rule with the obj_any destination precedes the similar rule with the defined destination, the second rule will never be used. The first and third rules allow DNS requests sent to 208.67.222.222 to keep the destination address. DNS requests sent to any other address will be sent to 208.67.220.220. This includes requests sent directly to that address as well as requests sent to alternative addresses.

Firepower Umbrella

The only drawback to this approach is that DNS requests sent to non-Umbrella addresses will always be sent exclusively to 208.67.220.220. There is no way to achieve any type of load balancing across both addresses and address this issue.

This config was validated in a lab running ASA 9.8(2) on ASAv.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.