So I am stuck between a rock and a hard place with this client. They were sold them ISE to use for their guest wireless. They were also sold anchor WLC's to use to for their guest wireless to make it more secure. The problem I am having is at one site, they need to use DNS rewrite for one NAT statement, which requires DNS inspection to be enabled. The NAT statement is to allow their current and new (when it goes in to prod) guest wireless to reach their Citrix server. Well, since they are using ISE, the guest wireless clients need to be able to resolve the hostname of the ISE server in the web redirect. I know you can set ISE to use the IP address, but that will give them cert errors and that's a no-no.
When I test DNS resolution using the internal DNS servers from the guest wireless, it fails with DNS inspection enabled. When DNS inspection is off, it works fine. Is there any sort of workaround for this or is it just not going to work?
It almost smells like a bug. I'm not sure of the merit, but I see there is 188.8.131.52.
There is one DNS bug listed as fixed but it doesn't sound related.
So you are saying that even with DNS inspection enabled that I should be able to reach internal DNS servers from the DMZ? I was getting this error when testing:
Only fix I could find was to disable DNS inspection.
I do packet tracers of UDP port 53, dns and on our FTD it will show allow then randomly it will show being blocked with same error. Strange! Inspect DNS is enabled, but why does it allow then not allow?
Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet, Drop-location: frame 0x000055fba58abf01 flow (NA)/NA
Model : Cisco Firepower 4115 Threat Defense (76) Version 6.6.0 (Build 90)