i did these steps, added dns group and all other required things but getting the invalid hostname error while pinging.

ciscoasa(config)# dns server-group DNS
ciscoasa(config-dns-server-group)# name-server 8.8.8.8
ciscoasa(config-dns-server-group)# domain-name DNS
ciscoasa(config-dns-server-group)# exit
ciscoasa# ping facebook.com
^
ERROR: % Invalid Hostname
ciscoasa#

you missing

domain-name TESTING

domain-name facebook.com

this is your company Local domain what ever,

on the ASA Make sure you have allowed rules to access google DNS  8.8.8.8

@Sheraz.Salimthanks for your concern, currently i am using the Cisco 5520 which is end of life firewall and this also shows the budgeting condition of my company, they would never spend more for this thing, so this is the reason i am looking for this URL blocking solution. 

@Cash2106 yes i was blind not noticed that you using 5520 my bad. oh yes I can understand the budget at managment level.

The concept is simple, try to understand and make it easy ( different people or engineers are having different views) - so they share their views and experience.

1. for ASA to work for FQDN

2. you need your DNS to work.

3. So make sure from ASA you able to resolve the DNS entries for the domain you looking to block.

4. So ASA should able to ping facebook.com before you make any ACL

here is the steps :

https://www.petenetlive.com/KB/Article/0000969

Hope until this clear,

5. Once DNS can resolve the facebook.com they start to apply the FQDN ACL to work.

As suggested this is not the best way for that model and ASA code, but that is nearby what you looking.

hope this make sense ?

@balaji.bandiyes everyone have different views, and i am not saying anyone wrong actually i am appreciating your both concern and your time you are spending here to make me understand.

yes the thing you mentioned is cleared now. and i will look into this. but what about the ACL you are talking about (ASA Make sure you have allowed rules to access google DNS 8.8.8.8), i have already created a ACL which blocks the traffic for specific users hitting the facebook, but i dont have such ACL you mentioned.

can you tell me how i can do that as well ..

@balaji.bandiyayyyyyy man .... you did it

ciscoasa# ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.21.105, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 250/250/250 ms
ciscoasa# ping www.facebook.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 157.240.1.35, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 240/246/250 ms
ciscoasa# wr
Building configuration...

its working now...

at first i was doing dns-lookup command on inside interface and it didnt work. but this time i have done it with outside, and now its working..

but now my concern is ask about the ACL ((ASA Make sure you have allowed rules to access google DNS 8.8.8.8)) you mentioned earlier .. do i have to create the ACL ? how can i do that ? what will be the resource, destination, service and interface :$ !!! Please...

but now my concern is ask about the ACL ((ASA Make sure you have allowed rules to access google DNS 8.8.8.8)) you mentioned earlier .. do i have to create the ACL ? how can i do that ? what will be the resource, destination, service and interface :$ !!! Please...

since you are not able to resolve the DNS for 8.8.8.8 i have advised, now you able to resolve the DNS,.

so focus on your ACL for the FQDN you want to block - many examples provide all the post from the beginning,  spend 5min understand that ACL and apply.

Still not working post the complete show run. ( you can also use Packet tracer to check is this blocking or not, if you using ASDM)