topic Re: Firepower-DNS Not Resolving in Network Security

Firepower-DNS Not Resolving

SecurityJumbo — Sat, 06 May 2023 19:11:12 GMT

I have a FMC and HA FTD on HA mode version 7.3.1for both. The DNs server is connected via INSIDE interface only. The Firepower can ping the DNS server as shown below, but the DNS is failed. I configured the DNS and domainsearch. The DNS is not resolving through the INSIDE or OUTSIDE interfaces. The DNS is only resolving through the management interface when I use "ping system xxx" command. I believe there is something else I'm missing. Please can you check and let me know what you think.

ping 192.168.10.5
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
>
> ping lab.local

ping lab.local
^
ERROR: % Invalid Hostname
>
>
> ping cisco.com
Please use 'CTRL+C' to cancel/abort...

ping cisco.com
^
ERROR: % Invalid Hostname
>
> ping system cisco.com
PING cisco.com (72.163.4.185) 56(84) bytes of data.
64 bytes from redirect-ns.cisco.com (72.163.4.185): icmp_seq=1 ttl=238 time=21.4 ms
^C64 bytes from 72.163.4.185: icmp_seq=2 ttl=238 time=12.8 ms

--- cisco.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 5054ms
rtt min/avg/max/mdev = 12.811/17.087/21.363/4.276 ms
>
>
> show dns system
search lab.local
nameserver 192.168.10.5
nameserver 8.8.8.8
nameserver 2603:8080:6100:2984::1

>
> show network
===============[ System Information ]===============
Hostname : FTD1
Domains : lab.local
DNS Servers : 192.168.10.5
8.8.8.8
2603:8080:6100:2984::1
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 192.168.1.1

======================[ eth0 ]======================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 50:00:00:11:00:00
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.1.201
Netmask : 255.255.255.0
Gateway : 192.168.1.1
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

Re: Firepower-DNS Not Resolving

MHM Cisco World — Sat, 06 May 2023 19:32:42 GMT

ping cisco.com but there is default domain lab.local

Ping cisco whiutout add domain

Re: Firepower-DNS Not Resolving

SecurityJumbo — Sun, 07 May 2023 18:02:01 GMT

@MHM Cisco World Not sure what you mean. The DNS is not resolving neither to the internal network or external network. I can ping any address through the data interfaces.

But the DNS is not working through the data interfaces (INSIDE or OUTSIDE). It is only working through the Management interface when I do (ping system www.google.com) or (ping system lab.local)

Re: Firepower-DNS Not Resolving

MHM Cisco World — Sun, 07 May 2023 18:20:31 GMT

Dns in firepower points

1-Firepower not support dns internal server (as I know until now)

2-firepower support dns through mgmt for update and license

3-firepower support dns through IN or Out for any acl use fqdn or remote access.

That I hope answer you

Thanks

MHM

Re: Firepower-DNS Not Resolving

brettp — Thu, 05 Dec 2024 16:30:26 GMT

Did you get an answer on this? I am experiencing a similar if not the same thing. I had DNS servers configured on the inside interface that were working without issue. I upgraded FMC only to 7.4.2 and now DNS resolution doesn't work on the FTDs. I checked the running-config and it wiped the DNS servers I had configured off the inside interface. I checked FMC, and my DNS Server Group is still configured with IPs and that group is configured in Platform Settings... So... it's configured, but not configured. I open a case with TAC but still waiting to hear back. Just wondering if you had any progress.

Re: Firepower-DNS Not Resolving

brettp — Thu, 05 Dec 2024 18:39:56 GMT

You're issue may or may not be the same as mine, but I ultimately fixed it, so I figured I'd post my fix in case anyone else finds this post with a similar situation. FMC was showing my DNS Server Group as good. My DNS Settings in Platform Settings as good. But DNS wasn't resolving. I checked the running-config via diagnostic CLI and noticed that, even the DNS was configured in FMC and supposed deployed, the config was NOT on the FTDs. I first tried removing a DNS server from the group, to initiate a change, but FMC did not see any changes to deploy. I then deleted the DNS Server Group in DNS Platform Settings and simply re-added it. I was then able to deploy the DNS settings, which then appear in the running-config.

Re: Firepower-DNS Not Resolving

allen.steckling — Fri, 10 Jan 2025 17:50:21 GMT

Can confirm thsi problem and fix as I experienced the same upgrading from 7.2.7 to 7.2.9

Re: Firepower-DNS Not Resolving

Michael Bartholomæussen — Fri, 10 Oct 2025 08:44:46 GMT

We saw this issue while updating to 7.4.2.1 -> 7.6.2 (1k series) AND 7.6.2 -> 7.6.2.1 (3k series) - after the upgrade the firewall didn't resolve FQDN for ACPs ACEs. To resolve it we did the following via the CLI, "clear dns", then "dns update".

I found the bug https://bst.cisco.com/bugsearch/bug/CSCwm92310