https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268835#M1119929 <P>how can I tell fmc/ftd DNS resolution is working? It is configured on FMC. but DNS is NOT resolving for FQDN's or URL's. I can ssh into the cli on the ftd and ping internal and external by name.&nbsp;</P> Fri, 07 Mar 2025 22:05:35 GMT tryingtofixit 2025-03-07T22:05:35Z https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268795#M1119924 <P>I need to lock javada1.oracle.com, javadl-esd-secure.oracle.com, java.com and java.net.</P><P>Can I do this using a FQDN object and a deny access rule?&nbsp; What is the process for blocking subdomains with the ftd?&nbsp;</P> Fri, 07 Mar 2025 17:50:51 GMT https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268795#M1119924 tryingtofixit 2025-03-07T17:50:51Z https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268804#M1119925 <P>Yes, you can use FQDN objects to do this. You will need an object for each FQDN that you want to block:&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/objects-object-mgmt.html?bookSearch=true" target="_blank" rel="noopener">https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/objects-object-mgmt.html?bookSearch=true</A></P> <PRE>You can use FQDN objects in access control rules and prefilter rules, or manual NAT rules, only. <BR />The rules match the IP address obtained for the FQDN through a DNS lookup. <BR />To use an FQDN network object, ensure you have configured the DNS server settings in DNS Server Group<BR />and the DNS platform settings in DNS.</PRE> <DIV id="bodyDisplay_3" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>&nbsp;</P> <P><EM>Thank you for rating helpful posts!</EM></P> </DIV> </DIV> Fri, 07 Mar 2025 18:51:56 GMT https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268804#M1119925 nspasov 2025-03-07T18:51:56Z https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268819#M1119928 <P>thanks for the link. I have it configured as a fqdn object in block access rule. dns is enabled and working on the fmc to the ftd.&nbsp; nothing gets blocked. got any troubleshooting links ?&nbsp;</P><P>&nbsp;</P> Fri, 07 Mar 2025 20:12:54 GMT https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268819#M1119928 tryingtofixit 2025-03-07T20:12:54Z https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268835#M1119929 <P>how can I tell fmc/ftd DNS resolution is working? It is configured on FMC. but DNS is NOT resolving for FQDN's or URL's. I can ssh into the cli on the ftd and ping internal and external by name.&nbsp;</P> Fri, 07 Mar 2025 22:05:35 GMT https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268835#M1119929 tryingtofixit 2025-03-07T22:05:35Z https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268858#M1119930 <P>Can you confirm the following:</P> <OL> <LI>You have DNS objects configured: Object -&gt; Object Management -&gt; DNS Server Group</LI> <LI>DNS is configured on FTD: Devices -&gt; Platform Settings -&gt; DNS: <OL class="lia-list-style-type-lower-alpha"> <LI>Enable DNS name resolution by device</LI> <LI>DNS Server Groups contains the DNS object from above</LI> <LI>The correct interface objects are selected for DNS resolution</LI> </OL> </LI> <LI>Post the output from the following commands in the FTD cli: system support diagnostic-cli -&gt; enable: <OL class="lia-list-style-type-lower-alpha"> <LI>show run dns</LI> <LI>ping <A href="http://www.cisco.com" target="_blank">www.cisco.com</A></LI> <LI>Extended ping: ping -&gt; TCP Ping [n] -&gt; Interface [Desired interface] -&gt; Target IP address [<A href="http://www.google.com" target="_blank">www.google.com</A>] &gt; Repeat count [5] -&gt; Datagram size [100] -&gt; Timeout in seconds [2] -&gt; Extended commands [n] -&gt; Sweep range of size [n]</LI> </OL> </LI> </OL> <P><EM>Thank you for rating helpful posts!</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 07 Mar 2025 23:10:36 GMT https://community.cisco.com/t5/network-security/using-ftd-to-block-subdomains-on-the-internet/m-p/5268858#M1119930 nspasov 2025-03-07T23:10:36Z