topic FirePOWER FTD/FMC as DNS Internal DNS Server in Network Security

FirePOWER FTD/FMC as DNS Internal DNS Server

Fantas — Thu, 12 Mar 2020 21:22:57 GMT

Hi,

I want to setup our FTD or FMC as as Internal DNS server for public URLs. I want if anyone wana use internet and wana access any public site and dns need to be resolved internally through FirePOWER FTD or FMC.

Any suggestions please.

Re: FirePOWER FTD/FMC as DNS Internal DNS Server

Sheraz.Salim — Thu, 12 Mar 2020 21:43:30 GMT

At the clish prompt in cli:, Note: You can enter multiple servers separated by commas.

> configure network dns servers 8.8.8.8,8.8.4.4

But you also need to restart the nscd daemon in the underlying linux, to do that you need to get into ‘expert mode’.

> expert

admin@FIRE:~$ sudo /etc/rc.d/init.d/nscd restart

Password:{Enter Your Password}

Stopping nscd… [ OK ]

Starting nscd… [ OK ]

check this link here

Re: FirePOWER FTD/FMC as DNS Internal DNS Server

Fantas — Thu, 12 Mar 2020 22:50:36 GMT

thanks so its not impacting anything when restarting internal process for dns.

so you means in this case ftd will act as internal dns server for internal users.

what ip client need to use as dns server , is this FTD inside ip address

Re: FirePOWER FTD/FMC as DNS Internal DNS Server

Sheraz.Salim — Sat, 14 Mar 2020 11:11:35 GMT

Hi I have test this in my lab. here what you need to do. while i was making the changes i did not any impact/down time.

once the setting are setup Deploy the policy.

once policys are deployed you can check your configuration in FTD lina_cli

once changes are applied go to FTD cli/ssh and


dns domain-lookup Inside_Interface
dns server-group OpenDNS_cdyz5_local_domain
name-server 192.168.100.72
name-server 208.67.220.220
dns-group OpenDNS_cdyz5_local_domain

Re: FirePOWER FTD/FMC as DNS Internal DNS Server

Fantas — Tue, 31 Mar 2020 07:13:54 GMT

Thanks.

I will deploy and share results

Re: FirePOWER FTD/FMC as DNS Internal DNS Server

christianh98114 — Sat, 10 Jul 2021 03:44:07 GMT

This answer explicitly points to another DNS server (I believe) instead of running a DNS server on the Firepower itself like OP is asking. Bumping for visibility as I'm having the same issue and I don't believe this answer adequately suits OPs question.

Re: FirePOWER FTD/FMC as DNS Internal DNS Server

Marvin Rhoads — Sat, 10 Jul 2021 07:41:14 GMT

Neither the FMC server or FTD sensor can act as a DNS server itself.

They can be configured to use internal or external DNS servers for resolution of names they have to know for their internal operations (as in for updates, URL lookups, use of FQDNs in ACLs etc.)

Re: FirePOWER FTD/FMC as DNS Internal DNS Server

christianh98114 — Sun, 01 Aug 2021 20:49:31 GMT

Thanks for this answer!

Quick Question and I promise it's the last;

In the underlying expert mode, there appears to be a copy of dnsmasq installed. Could this potentially be used as a hacky solution to an on-box DNS / DHCP solution? Obviously not ideal and security-wise, this would be a nightmare, but in theory, could it work?

Re: FirePOWER FTD/FMC as DNS Internal DNS Server

Marvin Rhoads — Mon, 02 Aug 2021 02:44:58 GMT

@christianh98114 Well if you follow that approach then you could just install bind on the underlying Linux. But the configuration of the OS under FMC is not designed to be a general purpose server platform. Upgrades or even patches to FMC could likely break anything you setup or, worse, what you setup could cause unexpected behavior on your FMC.