topic Re: DNS not working from LAN and DMZ on Cisco 3105 in Network Security

DNS not working from LAN and DMZ on Cisco 3105

Cisco3105 — Tue, 31 Oct 2023 04:41:49 GMT

Hello all,

None of the zones are able to resolve DNS. I can ping 8.8.8.8 from LAN and DMZ but cannot ping google.com.

The DNS policy under policies > DNS is default

DNS server group under Objects > Object Management has all the ISP provided DNS servers

DNS under Devices > Platform settings has "Enable DNS name resolution by device" enabled and the server group added to it. "Interface Objects" has all the objects added to the list.

I can ping google.com from Devices > Threat Defense CLI

How can I ensure that the the DNS works from devices in LAN and DMZ?

Thanks

Re: DNS not working from LAN and DMZ on Cisco 3105

markcummins713 — Sat, 04 Nov 2023 16:18:57 GMT

Keep in mind that troubleshooting network issues can be complex, and it's important to follow a systematic approach to isolate and resolve the problem. Be cautious when making web development changes to your network configuration, as improper adjustments can disrupt network services. If you're not confident in your ability to troubleshoot and resolve the issue, consider seeking the assistance of a network administrator or IT professional.

Re: DNS not working from LAN and DMZ on Cisco 3105

Rob Ingram — Tue, 31 Oct 2023 08:01:31 GMT

@Cisco3105 what DNS servers are the endpoint in the LAN/DMZ configured with? And is there an Access Control Policy rule to permit the endpoints to communicate with those DNS servers?

From the CLI of the FTD you can run the command system support firewall-engine-debug to filter on the endpoint IP address and confirm which firewall rule traffic is matching or if being denied.

Re: DNS not working from LAN and DMZ on Cisco 3105

Cisco3105 — Tue, 31 Oct 2023 12:28:56 GMT

Hello @Rob Ingram

How do I check which DNS servers are attached to the endpoints?
I migrated the config from ASA 5545x to 3105 thus assuming that the access control policy is in place

This is not in production yet this I can keep messing with it

Re: DNS not working from LAN and DMZ on Cisco 3105

Rob Ingram — Tue, 31 Oct 2023 12:33:49 GMT

Run the command system support firewall-engine-debug to filter on the endpoint IP address and confirm which firewall rule traffic is matching or if being denied.

Or take a packet capture, filter on DNS from an endpoint IP address.

Re: DNS not working from LAN and DMZ on Cisco 3105

Marius Gunnerud — Tue, 31 Oct 2023 12:35:55 GMT

Have you configure DHCP relay under Devices -> Device Management -> Edit the FTD Device -> DHCP -> DHCPrelay. You need to configure the DHCP servers tab as well as DHCP relay agent tab.

Re: DNS not working from LAN and DMZ on Cisco 3105

Cisco3105 — Tue, 31 Oct 2023 14:24:50 GMT

Hello @Marius Gunnerud

Do I need to need to enable DHCP relay for name resolution? The FTD is only handing out DHCP addresses to Anyconnect clients.

Re: DNS not working from LAN and DMZ on Cisco 3105

Marius Gunnerud — Tue, 31 Oct 2023 14:44:30 GMT

Sorry, thought I was answering a different post. Just a few thoughts:

Have you allowed the DNS traffic in the access rules?
Have you verified the DNS servers configured on the host machines?
If you do an nslookup google.com 8.8.8.8 on a host machine does this return a result (assuming that DNS is allowed towards 8.8.8.8)?

Re: DNS not working from LAN and DMZ on Cisco 3105

Cisco3105 — Tue, 31 Oct 2023 14:59:58 GMT

DNS traffic is allowed in Access rule from any to any

Trusted DNS servers have been set

Nslookup works when I set the DNS to 8.8.8.8 but fails when I set it to the internal dns server

I have attached the topology for reference.

Re: DNS not working from LAN and DMZ on Cisco 3105

Marius Gunnerud — Tue, 31 Oct 2023 19:14:14 GMT

So routing is done on the nexus switch? do you have DNS snooping enabled?

are you able to lookup google.com on the DNS server itself?

Re: DNS not working from LAN and DMZ on Cisco 3105

Cisco3105 — Wed, 01 Nov 2023 14:51:55 GMT

Yes, the routing is done on Nexus, DNS snooping isnt enabled. The current firewall is ASA 5545 and DNS works fine.

I am in the process of setting up an isolated network to test with the 3105, will keep you posted.

Re: DNS not working from LAN and DMZ on Cisco 3105

Cisco3105 — Wed, 01 Nov 2023 22:34:21 GMT

@Rob Ingram @Marius Gunnerud

Here's the output from the packet tracker, the dns server does not get a reply but the trace logs dont show anything being blocked.

1: 20:20:21.581055 192.168.1.10.48746 > 8.8.8.8.53: udp 28 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Elapsed time: 11296 ns Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Elapsed time: 11296 ns Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: INPUT-ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Elapsed time: 3530 ns Config: Additional Information: Found next-hop 38.140.221.81 using egress ifc wan(vrfid:0) Phase: 4 Type: OBJECT_GROUP_SEARCH Subtype: Result: ALLOW Elapsed time: 0 ns Config: Additional Information: Source Object Group Match Count: 4 Destination Object Group Match Count: 1 Object Group Search: 0 Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Elapsed time: 0 ns Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit udp object-group DNSServers any object-group DNS_over_UDP rule-id 268436488 access-list CSM_FW_ACL_ remark rule-id 268436488: ACCESS POLICY: FTD-Mig-ACP-1694711294 - Mandatory access-list CSM_FW_ACL_ remark rule-id 268436488: L7 RULE: Allow-From-DNS-Servers object-group network DNSServers(hitcnt=1392, id=4026531841) network-object object DNSServer2(hitcnt=22) network-object object DNSServer1(hitcnt=1370) network-object object DNSServer3(hitcnt=0) object-group service DNS_over_UDP udp port-object eq domain Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Phase: 6 Type: CONN-SETTINGS Subtype: Result: ALLOW Elapsed time: 0 ns Config: class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global Additional Information: Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Elapsed time: 0 ns Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Elapsed time: 0 ns Config: Additional Information: Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Elapsed time: 9178 ns Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect dns preset_dns_map service-policy global_policy global Additional Information: Phase: 10 Type: NAT Subtype: per-session Result: ALLOW Elapsed time: 7766 ns Config: Additional Information: Phase: 11 Type: IP-OPTIONS Subtype: Result: ALLOW Elapsed time: 0 ns Config: Additional Information: Phase: 12 Type: FLOW-CREATION Subtype: Result: ALLOW Elapsed time: 4236 ns Config: Additional Information: New flow created with id 1229380, packet dispatched to next module Phase: 13 Type: EXTERNAL-INSPECT Subtype: Result: ALLOW Elapsed time: 6354 ns Config: Additional Information: Application: 'SNORT Inspect' Phase: 14 Type: SNORT Subtype: appid Result: ALLOW Elapsed time: 83433 ns Config: Additional Information: service: DNS(617), client: DNS(617), payload: (0), misc: (0) Phase: 15 Type: SNORT Subtype: SI-DNS Result: ALLOW Elapsed time: 8091 ns Config: DNS policy 862867808, Allow Additional Information: Matched domain google.com, action Allow Phase: 16 Type: SNORT Subtype: firewall Result: ALLOW Elapsed time: 32306 ns Config: Network 0, Inspection 0, Detection 0, Rule ID 268436488 Additional Information: Starting rule matching, zone 1 -> 8, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, urls , hosts google.com, no xff Matched rule ids 268436488 - Allow Phase: 17 Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP Subtype: Resolve Preferred Egress interface Result: ALLOW Elapsed time: 2824 ns Config: Additional Information: Found next-hop 38.140.221.81 using egress ifc wan(vrfid:0) Phase: 18 Type: ADJACENCY-LOOKUP Subtype: Resolve Nexthop IP address to MAC Result: ALLOW Elapsed time: 353 ns Config: Additional Information: Found adjacency entry for Next-hop 38.140.221.81 on interface wan Adjacency :Active MAC address e0ac.f127.b0ae hits 203 reference 29 Result: input-interface: lan(vrfid:0) input-status: up input-line-status: up output-interface: wan(vrfid:0) output-status: up output-line-status: up Action: allow Time Taken: 180663 ns

Re: DNS not working from LAN and DMZ on Cisco 3105

Marius Gunnerud — Wed, 01 Nov 2023 22:57:42 GMT

is the WAN interface the correct interface for reaching the internet? I see no NAT being implemented on the traffic in the packet-tracer output.
are there any other firewalls in the path between the FTD and internet?

set up a capture on both the lan and wan interfaces for this traffic and then see if you see both requests and replies in the output.

Re: DNS not working from LAN and DMZ on Cisco 3105

Cisco3105 — Thu, 02 Nov 2023 18:52:01 GMT

The test I conducted today

1. The DMZ interface IP on the FTD is 10.11.11.1/24 and a computer in the zone is 10.11.11.2/24. I ran nslookup google.com 8.8.8.8 and got a reply

2. The LAN interface IP on the FTD is 10.10.10.9/30 and the nexus switch is directly connected to the FTD with the IP 10.10.10.10/30. The actual LAN subnet inside the office is 192.168.1.0/24

The computer IP address is 192.168.1.100. I ran nslookup google.com 8.8.8.8 and got request timed out error

Re: DNS not working from LAN and DMZ on Cisco 3105

Herald Sison — Thu, 02 Nov 2023 20:42:15 GMT

Have you added a static route in your FTD from nexus to FTD?

like this route LAN 192.168.1.0 255.255.255.0 10.10.10.10 1

how about your NAT?

Re: DNS not working from LAN and DMZ on Cisco 3105

MHM Cisco World — Sat, 04 Nov 2023 16:30:24 GMT

from Nexus do traceroute check if the packet hit FTD or not ?

Thanks A Lot
MHM

Re: DNS not working from LAN and DMZ on Cisco 3105

Cisco3105 — Mon, 06 Nov 2023 14:52:34 GMT

@Marius Gunnerud

The migration ignored a few NAT rules and that caused the issue. I did thorough check between the ASA and the FTD and found the missing NAT rules. Added them to the FTD and name resolution started working.