https://community.cisco.com/t5/network-security/fmc-ftd-dns-inspection-issues/m-p/3408388#M926069 <P>Did you ever figure this out? I am having trouble even disabling inspection of DNS. Did you use the flexconfig to disable inspection?</P> Sat, 30 Jun 2018 14:25:39 GMT nathan40 2018-06-30T14:25:39Z https://community.cisco.com/t5/network-security/fmc-ftd-dns-inspection-issues/m-p/3314748#M926068 <P>To all:</P> <P>&nbsp;</P> <P>I am trying to configure FMC/FTD to use my clients internal DNS servers for guest wireless.&nbsp; The interface for the guest wireless hangs off the FTD appliance and I have the policy built in FMC to allow DNS traffic from the guest wireless network inbound and vice versa.&nbsp; However, in the one location, they must have DNS inspection for one NAT statement that requires DNS doctoring.&nbsp; If I disable DNS inspection, they can reach the internal DNS servers.&nbsp; Otherwise, it fails with the following drop-reason:</P> <P>&nbsp;</P> <P>&nbsp;(inspect-dns-invalid-pak) DNS Inspect invalid packet</P> <P>&nbsp;</P> <P>I can't figure out how to get around this problem in FTD.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>TIA for any ideas,</P> <P>&nbsp;</P> <P>Dan</P> Sat, 22 Feb 2020 07:35:08 GMT https://community.cisco.com/t5/network-security/fmc-ftd-dns-inspection-issues/m-p/3314748#M926068 deyster94 2020-02-22T07:35:08Z https://community.cisco.com/t5/network-security/fmc-ftd-dns-inspection-issues/m-p/3408388#M926069 <P>Did you ever figure this out? I am having trouble even disabling inspection of DNS. Did you use the flexconfig to disable inspection?</P> Sat, 30 Jun 2018 14:25:39 GMT https://community.cisco.com/t5/network-security/fmc-ftd-dns-inspection-issues/m-p/3408388#M926069 nathan40 2018-06-30T14:25:39Z https://community.cisco.com/t5/network-security/fmc-ftd-dns-inspection-issues/m-p/4296639#M1078756 <P>I am not sure if this still a problem, but have you looked at creating a FlexConfig to not inspect DNS traffic? If this what you are after?</P><P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-advanced.html#concept_53C22C306B57480D99DB905E90D5FDC9" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-advanced.html#concept_53C22C306B57480D99DB905E90D5FDC9</A></P><P>We are looking at doing something similar for Cisco Umbrella as DNS traffic cannot be inspected due to encryption to the Cisco Umbrella Cloud.</P><P>&nbsp;</P> Wed, 24 Feb 2021 03:42:16 GMT https://community.cisco.com/t5/network-security/fmc-ftd-dns-inspection-issues/m-p/4296639#M1078756 WeedyNaana2308 2021-02-24T03:42:16Z https://community.cisco.com/t5/network-security/fmc-ftd-dns-inspection-issues/m-p/4515256#M1085608 <P>Did the flexconfig resolve your encrypted DNS traffic to Umbrella issue?</P> Wed, 08 Dec 2021 15:18:55 GMT https://community.cisco.com/t5/network-security/fmc-ftd-dns-inspection-issues/m-p/4515256#M1085608 Jack G 2021-12-08T15:18:55Z