Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4430
Views
10
Helpful
7
Replies

DNS lookups failing for FQDNs

Go to solution
Warren Sullivan - Corp
Level 1
Level 1

‎05-11-2020 02:23 AM

Hi All,

 

I have FMC managing an FTD HA Pair that are not connected on any data interface until migration, they are obviously up on their respective management interfaces, they are living on 4110 Chassis, I am in the final few weeks until migration and have notice that no FQDNs are not resolving to IPs.

 

I have been looking at this for reference - https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214698-understand-fqdn-feature-on-firepower-thr.html

 

This is what we have setup;

 

DNS Server group under objects;

 

2020-05-11 18_46_45-10.10.120.100 - Remote Desktop Connection.png

 

DNS setup for FTDs in Platform policy - this is applied to the HA Pair

2020-05-11 18_45_22-10.10.120.100 - Remote Desktop Connection.png

 

but i cannot resolve from FTD;

2020-05-11 19_19_48-10.10.120.100 - Remote Desktop Connection.png

 

Any ideas?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Warren Sullivan - Corp

‎05-11-2020 04:05 AM

I've just tested in my lab on FTD 6.5, mirroring your scenario and configuration. When the inside data interface is unplugged, no DNS names are resolved. Only when connecting the inside data interface are the FQDNs resolved by DNS. A packet capture confirms that the source was the inside data interface IP address.

I had the tick box enabled for "Enable DNS lookup via diagnostic interface also". With the inside data interface unplugged no DNS requests were received from the diagnostics interface, regardless of whether I assigned an IP address to the diagnostics interface.

What version of FTD are you running?

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎05-11-2020 02:34 AM

Hi,
By the looks of your 2nd screenshot, the DNS request will be reached from the "Inside-Zone" which would be your data interface, which are currently not connected? So therefore the DNS request does not come from the mgmt interface.

HTH

Go to solution
Warren Sullivan - Corp
Level 1
Level 1
In response to Rob Ingram

‎05-11-2020 02:39 AM

Hi RJI,

So are you saying that the diag interface is not the FTDs management interface?
0 Helpful

Go to solution
Warren Sullivan - Corp
Level 1
Level 1

‎05-11-2020 03:07 AM

Another interesting thing to note, i can't seem to ping one of the DNS servers via the management interface from LINA, is this normal?

2020-05-11 19_58_06-Clipboard.png

 

but if i drop back to FTD....then i can perform a lookup

2020-05-11 20_06_46-10.10.120.100 - Remote Desktop Connection.png

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Warren Sullivan - Corp

‎05-11-2020 04:05 AM

I've just tested in my lab on FTD 6.5, mirroring your scenario and configuration. When the inside data interface is unplugged, no DNS names are resolved. Only when connecting the inside data interface are the FQDNs resolved by DNS. A packet capture confirms that the source was the inside data interface IP address.

I had the tick box enabled for "Enable DNS lookup via diagnostic interface also". With the inside data interface unplugged no DNS requests were received from the diagnostics interface, regardless of whether I assigned an IP address to the diagnostics interface.

What version of FTD are you running?
0 Helpful

Go to solution
Warren Sullivan - Corp
Level 1
Level 1
In response to Rob Ingram

‎05-11-2020 05:11 AM

Hey RJI,

 

We are running 6.6.0

 

thanks for the confirmation, that's disappointing that you cant configure it to use the management interface, but i suppose the management interface could be overwhelmed in extreme circumstances.....

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Warren Sullivan - Corp

‎05-11-2020 05:59 AM - edited ‎05-11-2020 06:07 AM

The management interface can do DNS lookups for management purposes only if there is a name server configured and a route to it (either set during the initial bootstrap or later as a "management-only" route).

Note that DNS configuration for management will never be used for traffic via the data interfaces.

> show version 
---------[ vftd-new.ccielab.mrneteng.com ]----------
Model                     : Cisco Firepower Threat Defense for VMWare (75) Version 6.6.0 (Build 90)
UUID                      : 69c94e8a-92d2-11e7-b4ad-db36033706e7
Rules update version      : 2020-05-06-001-vrt
VDB version               : 333
----------------------------------------------------

> 
> show interface | include line
Interface GigabitEthernet0/0 "Inside-Lab", is administratively down, line protocol is up
Interface GigabitEthernet0/1 "Outside-Home", is administratively down, line protocol is up
Interface GigabitEthernet0/2 "", is administratively down, line protocol is up
Interface Management0/0 "diagnostic", is up, line protocol is up
> 
> nslookup www.cisco.com
Server:		172.31.1.8
Address:	172.31.1.8#53

Non-authoritative answer:
www.cisco.com	canonical name = www.cisco.com.akadns.net.
www.cisco.com.akadns.net	canonical name = wwwds.cisco.com.edgekey.net.
wwwds.cisco.com.edgekey.net	canonical name = wwwds.cisco.com.edgekey.net.globalredir.akadns.net.
wwwds.cisco.com.edgekey.net.globalredir.akadns.net	canonical name = e2867.dsca.akamaiedge.net.
Name:	e2867.dsca.akamaiedge.net
Address: 23.14.199.30

Go to solution
Warren Sullivan - Corp
Level 1
Level 1
In response to Marvin Rhoads

‎05-11-2020 02:10 PM


Hi Marvin,
Thanks for the confirmation, i guess ill have to throw DNS in the test plan ;-)

Thanks mate

Warren
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card