Re: ASA DNS is not resolving FQDNs

Enacisco · ‎08-01-2021

Hi,

I have ASA5506 running version 9.8(1). I'm trying to use FQDN that I configured in a network object in my ACL to allow a traffic to that FQDN but my ASA kept blocking the traffic, If I resolve the FQDN and use the IP addresses it resolves to it works fine, that tells me my ASA is not resolving the FQDN. my ASA is pointing to an internal DNS server that is able to resolve the FQDN.

please see attachments.

marce1000 · ‎08-01-2021

- You may find this document useful :

https://community.cisco.com/t5/security-documents/using-hostnames-dns-in-access-lists-configuration-steps-caveats/ta-p/3123480

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎08-02-2021

172.28.4.102/106 - where is this IP address in the network ? do you have ASA reachability and have ACL for port 53 to connect this DNS Servers ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Enacisco · ‎08-02-2021

HI Balaji.bandi,

Yes I have ASA reachability to the server and I have ACL rule to allow DNS traffic. If I nslookup from a server behind the firewall the DNS traffic goes though to the DNS server and it resolves fine, but if I try to resolve it from the ASA itself it does not.

balaji.bandi · ‎08-03-2021

We need to look at the config, also check from command level is this working ?

Note : we see interface on the config corp - is this reachable to DNS ? you may have inside or outside reachable ? check the interface is correct ?

if possible post show run

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Enacisco · ‎08-13-2021

Hi,

Sorry for the delay.

talking reachability, the ASA can access the DNS server and the DNS server can reach the firewall. To narrow down the issue here my ASA can ping 8.8.8.8 but cant ping google.com that tells me the reachability and ACL are all in place. please see below config

Result of the command: "sh interface corp"

Interface BVI1 "Corp", is up, line protocol is up
MAC address N/A, MTU 1500
IP address 172.28.4.50, subnet mask 255.255.240.0
Traffic Statistics for BVI1:
0 packets input, 0 bytes
2010877 packets output, 139753656 bytes
9577117 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 18 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 22 bytes/sec
5 minute drop rate, 0 pkts/sec

Result of the command: "sh run dns"

dns domain-lookup ICS
dns domain-lookup Corp
DNS server-group DefaultDNS
name-server 172.28.4.102 Corp
name-server 172.28.4.106 Corp
domain-name domain.corp

Result of the command: "ping 172.28.4.102"

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.4.102, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Result of the command: "ping googl.com"

ping googl.com
^
ERROR: % Invalid Hostname

Result of the command: "sh dns host google.com"

Name: google.com (unable to resolve)

Result of the command: "sh dns"

Name: google.com (unable to resolve)