Hi

I have a group of dynamic objects defined by FQDN in mulitple ASA 5506/8-X.

Somehow after ugrading ASA software from version 9.6(1) to anything later, the DNS resolver fails.

Same config, nothing changed.

My remote sites are doing IKEv2 site-to-site to HQ, with all RFC1918 addresses in crypto map acl.

Current ASA version, where this is failing: 9.8(1)

DNS config/status:

FW# sh run dns

dns domain-lookup inside
DNS server-group DefaultDNS
    name-server x.y.z.w inside
    name-server x.y.z.q inside
    domain-name dom.local

FW# sh dns
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)
Name: host.domain.tld (unable to resolve)

DNS servers are pingable sourcing the inside interface OK.

Anyone seeing the same issue?

Do you have a solution or workaround?

If I downgrade to ASA 9.6(1) DNS resolve start working immidiately.

Kind regards

Thomas Winther