topic Re: Enable public DNS on Cisco ASA 5516-X in Network Security

Enable public DNS on Cisco ASA 5516-X

Rebecca NMB — Mon, 15 Aug 2022 15:03:41 GMT

Hi all

I'm inexperienced with networking/firewall/DNS, so please forgive me if I use the incorrect terms or if I don't make too much sense.

I work in a very small IT department and have been thrown in to managing the firewall.

I've found an error where we get 'user identity: DNS lookup for 'FQDN' failed, reason:Timeout or unresolvable'

I think this may be because we need to add a public DNS address and possibly enable DNS Lookup for more interfaces.

Would this be right?

Re: Enable public DNS on Cisco ASA 5516-X

MHM Cisco World — Mon, 15 Aug 2022 16:14:16 GMT

https://www.petenetlive.com/KB/Article/0000969

check this link

Re: Enable public DNS on Cisco ASA 5516-X

Marius Gunnerud — Tue, 16 Aug 2022 06:03:27 GMT

What is the site that you are unable to resolve? and where does your current DNS configuration point to? If you log onto this DNS server is it able to resolve the FQDN that you are having issues with?

Adding more DNS entries to the ASA will not help much as it uses a top down first match logic, so if the first IP in the list of DNS servers is reachable it will chose that DNS server. A better solution would be to identify why your current DNS server is not able to resolve the FQDN and fix that problem on the DNS server.

Re: Enable public DNS on Cisco ASA 5516-X

Jitendra Kumar — Tue, 16 Aug 2022 10:34:12 GMT

it's an object in the asa that's mapped to a FQDN that is unresovleable...

object network FQDN_sitename.xxx
fqdn v4 sitename.xxx

if that object is in an access rule, the asa will query the site over and over and over and over.

need to remove the access rule and most likely the object...

Re: Enable public DNS on Cisco ASA 5516-X

Marius Gunnerud — Tue, 16 Aug 2022 11:15:07 GMT

What is your DNS configuration on your ASA? Does it point to an internal DNS server?

Re: Enable public DNS on Cisco ASA 5516-X

Jitendra Kumar — Tue, 16 Aug 2022 12:22:37 GMT

Below is the DNS Config documents.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/basic-hostname-pw.html#task_3793C1E2CFEF4596857438816F4EF252

https://www.youtube.com/watch?v=ec2GIe90dkw

Re: Enable public DNS on Cisco ASA 5516-X

Rebecca NMB — Tue, 16 Aug 2022 14:40:06 GMT

Thank you for your replies.

We are trying to reach public.dhe.ibm.com.

The DNS configured is our internal DNS server. I can't ping public.dhe.idm.com or it's ip address from the server.

Re: Enable public DNS on Cisco ASA 5516-X

Marius Gunnerud — Wed, 17 Aug 2022 06:47:20 GMT

Are you running ASA or FTD code on your ASA5516-X?

on the ASA's CLI issue the command show run dns and post the output here.

Go to the DNS server and open a command prompt and issue the command nslookup public.dhe.ibm.com and post the output here. If it does not return an IP for domain and your ASA does DNS lookup to that DNS server, then that is the problem. Either the ASA will need to use a different DNS server or you will need to add a DNS forwarder for the public.dhe.ibm.com domain.