Solved: Re: DNS only works on one host?

Seanmorrow · ‎01-15-2024

So, I had DNS working, and I started putting FQDNs in ACLs. All were working and populating "show dns". Then I rebooted the firewall a few weeks later and now it's not resolving most hosts - saying they aren't active. The below code is partial and I can't post the whole, but don't be afraid to ask for any other non-compromising parts. There are plenty of others that don't work. This is just my best example since they share a group - yet only one is active.

For example:

object network fqdn_alertmedia_com_dashboard
    fqdn v4 dashboard.alertmedia.com
object network fqdn_sqs.us-east-1.amazonaws.com
    fqdn v4 sqs.us-east-1.amazonaws.com
object-group network AlertMedia_Servers
    network-object object fqdn_alertmedia_com_dashboard
    network-object object fqdn_alertmedia_aws
(object group is in an ACL and applied)

ASA-5516# sh dns
Name: dashboard.alertmedia.com
Address: 3.214.247.59 TTL 00:01:02
Address: 18.205.85.59 TTL 00:01:02
(this *all* of the output)

(It doesn't respond to pings, but you can see it is capable of resolving)
ASA-5516# ping sqs.us-east-1.amazonaws.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.239.232.46, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

ASA-5516# ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.217.142, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

(I even added google.com to the object group and "show dns" still won't show it.)

MHM Cisco World · ‎01-15-2024

asa# sh access-list <fqdn acl name>

did you see other ACL FQDN as inactive ?
MHM

View solution in original post

MHM Cisco World · ‎01-15-2024

can you ping DNS server from the mgmt interface or from interface use connect to host that filter by ACL?
share
show run dns
MHM

Seanmorrow · ‎01-15-2024

DNS "works" and resolves addresses, just not for any object except the one. There was an internal server, but I removed it for troubleshooting purposes.

ASA-5516# show run dns
dns domain-lookup Inside
dns domain-lookup Outside
dns domain-lookup Outside2
DNS server-group DefaultDNS
name-server 8.8.8.8 Outside
ASA-5516# ping community.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 18.154.144.23, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ASA-5516# ping reddit.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 151.101.1.140, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms
ASA-5516# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

MHM Cisco World · ‎01-15-2024

and the user use 8.8.8.8 as DNS server ?
MHM

Seanmorrow · ‎01-15-2024

They are not, but as said: I removed the internal (user) DNS to make sure it wasn't an issue with our DNS. I just haven't put it back yet since I feel 8.8.8.8 is a more reliable test. Once I get DNS working with the other network objects I'll put it back.

MHM Cisco World · ‎01-15-2024

asa# sh access-list <fqdn acl name>

did you see other ACL FQDN as inactive ?
MHM

Seanmorrow · ‎01-15-2024

I think you just hit the problem. They're applied to an ACL, but the service that uses those ACLs was *not* running. The one that was resolving was doing so because of a different ACL for a different purpose - that just also happened to be here.

Oof on me. Thanks for the assist.

MHM Cisco World · ‎01-15-2024

friend you are so welcome
MHM