Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1694
Views
0
Helpful
5
Replies

DNS rewrite/DNS Inspection and a DMZ that needs to access internal DNS servers

deyster94
Level 5
Level 5

‎01-25-2018 02:07 PM - last edited on ‎02-21-2020 11:35 PM by Community Manager

So I am stuck between a rock and a hard place with this client.  They were sold them ISE to use for their guest wireless.  They were also sold anchor WLC's to use to for their guest wireless to make it more secure.  The problem I am having is at one site, they need to use DNS rewrite for one NAT statement, which requires DNS inspection to be enabled.  The NAT statement is to allow their current and new (when it goes in to prod) guest wireless to reach their Citrix server.  Well, since they are using ISE, the guest wireless clients need to be able to resolve the hostname of the ISE server in the web redirect.  I know you can set ISE to use the IP address, but that will give them cert errors and that's a no-no.  

 

When I test DNS resolution using the internal DNS servers from the guest wireless, it fails with DNS inspection enabled.  When DNS inspection is off, it works fine.  Is there any sort of workaround for this or is it just not going to work?

 

TIA,

 

Dan

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-25-2018 02:21 PM

What is doing the DNS inspection?

0 Helpful

deyster94
Level 5
Level 5
In response to Philip D'Ath

‎01-25-2018 02:28 PM

FTD appliance that is managed by FMC.  Running 6.2.2 on both.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to deyster94

‎01-25-2018 02:33 PM

It almost smells like a bug.  I'm not sure of the merit, but I see there is 6.2.2.1.

 

There is one DNS bug listed as fixed but it doesn't sound related.

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/622x/relnotes/Firepower_Relase_Notes_622x/Firepower_Relase_Notes_622x_chapter_01001.html

0 Helpful

deyster94
Level 5
Level 5
In response to Philip D'Ath

‎01-25-2018 07:11 PM

So you are saying that even with DNS inspection enabled that I should be able to reach internal DNS servers from the DMZ?  I was getting this error when testing:

 

inspect-dns-invalid-pak

 

Only fix I could find was to disable DNS inspection.

0 Helpful

Supermantech
Level 1
Level 1
In response to deyster94

‎08-11-2020 09:09 AM

I do packet tracers of UDP port 53, dns and on our FTD it will show allow then randomly it will show being blocked with same error.  Strange!    Inspect DNS is enabled,  but why does it allow then not allow?

 

Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet, Drop-location: frame 0x000055fba58abf01 flow (NA)/NA

 

using

Model : Cisco Firepower 4115 Threat Defense (76) Version 6.6.0 (Build 90)

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card