We are having some strange/intermittent DNS issues at some of our remote sites. We have Cisco ASA 5505 connecting to a PIX 515e (replacing soon) at our main site via an IPSec tunnel. The ASA's at the remote sites are running DHCP and are set to give out one of our internal DNS servers as well as an external DNS server (8.8.8.8) in case the VPN goes down.
The issue I have is that the client PCs sometimes seem to skip over the internal server and use the external server to resolve address and then our clients can't get to some of our internal websites. Whenever I connect to a client having problems, if I do an NSLookup it uses the correct internal server and resolves fine, but when I immediately ping it cannot resolve. If I go into the adapter setting and manually set the DNS servers to use both our inside servers it then works. If I add the external server as a third server using the advanced settings it still works.
Is it possible my internal server is taking too long to respond? We do get pings as high as 75-125ms at the remote sites sometimes, not sure what exactly causes the computer to use the secondary DNS server.. This is seemingly random, one client will behave this way while the others at the site work fine. Putting the address in the clients host file fixes the problem, but if that's the only solution I might as well just have the users connect using the IP instead of the FQDN. Any Ideas?
tl;dr Clients at remote sites are randomly seem to be using the secondary DNS server instead of the primary.