Solved: Re: DNS configuration on FTD

varrao · ‎10-19-2020

Hi All,

I am working on Cisco FTD which are managed by FMC. I ahve conifgured the DNS group:

I did an nslookup from the firewall but the firewall doesnt seem to resolve google.com

I ahve route pointing towards the inside interface for 10.0.0.0/8 subnet, and my DNS server also falls under this subnet but it is reachable through the mgmt interface only.

Now on other vendors I can create a service route for the management interface, but doesnt seem to eb possible for this FTD.

How can I add a management route on the FTD to send this destination dns server traffic out from the menagement interface?

Thanks,

Varun

Thanks,
Varun Rao

Marvin Rhoads · ‎10-21-2020

The DNS servers you configure in the GUI as you shared in your earlier screenshot are for doing DNS lookups for policy-related actions (e.g if there is an access-control policy entry with a FQDN object or similar).

The DNS server you configure via the management cli is only used for management purposes, not for the data plane or enforcemnt of traffic through it.

View solution in original post

varrao · ‎10-19-2020

Thanks,
Varun Rao

Mohammed al Baqari · ‎10-19-2020

Hi,

You have to enable dns lookup under the interface configuration to be able
to perform lookups on the firewall. If the route points to inside, then you
need to enable dns lookup on the inside.

In the same screenshot, just add the inside interface

**** please remember to rate useful posts

varrao · ‎10-19-2020

HI Mohammad,

The DNS server is reachable through Management interface only, i want the lookup to happen through mgmt interface, what do I need to do in that case?

Thanks,
Varun Rao

Mohammed al Baqari · ‎10-19-2020

Understood, in this case you need to create a data interface in the same
subnet as mgmt and use it to perform lookups. Till the latest version (6.6)
FTD doesn't support lookup through mgmt interface.

**** please remember to rate useful posts

Marius Gunnerud · ‎10-20-2020

You can configure the DNS servers for management interface from the command line (CLI) by using the following command (change dns server IP as needed):

configure network dns server 8.8.8.8

verify using the show network command.

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads · ‎10-21-2020

The DNS servers you configure in the GUI as you shared in your earlier screenshot are for doing DNS lookups for policy-related actions (e.g if there is an access-control policy entry with a FQDN object or similar).

The DNS server you configure via the management cli is only used for management purposes, not for the data plane or enforcemnt of traffic through it.

tiwang · ‎12-19-2023

hi Marvin

If the Interface is not avalibly from the dropdown there what is the cause for this?

we have 6 FP2110 FTD's running (12 - 6 in HA mode) - vers. 6.6.1 - 6.6.5 and 7.0.0 - which is managed from a FMC on 7.0.0

we have a common device policy for them where we assign the DNS settings trough - but DNS for fqdn in the ACE's doesnt resolve. When i do a DNS debug i get "DNS: DNS not enabled for interface "

Can you guide me to the cause for this?