We have several ASA 5505 deployed. Currently, we have a setup where the local ASA is answering DHCP queries and is configuring clients with two DNS servers: our DR site DNS server (we use AD) and a public DNS.
We need to give clients access to "the internet" when the VPN tunnel is down (this means not only packet routing but DNS answers), which rules out serving DHCP from our side. The above config allows us to use vpnclient server [Production site VPN target] [DR site VPN target] without issue.
This is a workaround from previous config where we manually failed over tunnels by adjusting the DHCP assigned DNS. Super high touch and slow.
On a Fortigate, there was a load balancing service that would create a VIP and had some checks ot verify connectivity to DNS servers.
Beyond a creative solution like load balancing, how can we configure clients that are assigned DHCP by our field ASAs to send DNS lookups to specific servers?
[side note]
Just thought that we might use load balancers at each site that serve DNS via the same VIP (only accessible by VPN clients). But this is a complex server-side solution for a possible client-side problem.
Best Answer
In your situation I would simply use the ASA as a DHCP that hands out its internal IP as the DNS server, use DNS proxy to the tunnel DNS and have several public DNS's listed in the config.
EG. (these commands work on c3900 equipment ios15.1, you may have to make changes to be compatible to the ASA software)
this works for small offices, I use it on 100 users or less, but could be scaled if you have the ram.
Running an ip-sla on the tunnel to know when its down and use the default route to point to the tunnel would make the switchover faster and more reliable. Just make sure you have a static route defined to point to the local outside interface or when the tunnel goes down, the asa will remove the default route and then things could just stop working.