User Guide for Cisco Security Manager 4.4
Chapter 51 Configuring Server Access Settings on Firewall Devices
DNS Page
Add DNS Server Group Dialog Box
Use the Add DNS Server Group dialog box to define the DNS servers and settings for a DNS server
group, used by security devices to resolve server names to IP addresses in policies that support name
Note With the exception of its title, the Edit DNS Server Group dialog box is identical to this one, and the
following descriptions apply to both.
Navigation Path
You can access the Add DNS Server Group and Edit DNS Server Group dialog boxes from the DNS
Page, page 51-13.
Field Reference
DefaultDNS Server Group
(ASA 8.4(2)+)
Additional settings that apply to the DefaultDNS server group only.
These settings are used when resolving FQDN network/host objects to
IP addresses.
• Poll Timer—The time, in minutes, of the polling cycle used to
resolve FQDN network/host objects to IP addresses. FQDN objects
are resolved only if they are used in a firewall policy. The timer
determines the maximum time between resolutions; the DNS
entry’s time-to-live (TTL) value is also used to determine when to
update to IP address resolution, so individual FQDNs might be
resolved more frequently than the polling cycle.
The default is 240 (four hours). The range is 1 to 65535 minutes.
• Expire Entry Timer—The number of minutes after a DNS entry
expires (that is, the TTL has passed) that the entry is removed from
the DNS lookup table. Removing an entry requires that the table be
recompiled, so frequent removals can increase the processing load
on the device. Because some DNS entries can have very short TTL
(as short as three seconds), you can use this setting to virtually
extend the TTL.
The default is 1 minute (that is, the entry is removed one minute
after the TTL has passed). The range is 1 to 65535 minutes.
Table 51-13 DNS Page (Continued)
Element Description
Table 51-14 Add/Edit DNS Server Group Dialog Boxes
Element Description
Name Provide a name for the group of DNS servers.
Tip The name DefaultDNS is predefined on the ASA and includes
the servers used for policies that do not allow the selection of a
specific group, such as for FQDN network/host object