cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

940
Views
0
Helpful
5
Replies
Highlighted
Contributor

DNS rewrite/DNS Inspection and a DMZ that needs to access internal DNS servers

So I am stuck between a rock and a hard place with this client.  They were sold them ISE to use for their guest wireless.  They were also sold anchor WLC's to use to for their guest wireless to make it more secure.  The problem I am having is at one site, they need to use DNS rewrite for one NAT statement, which requires DNS inspection to be enabled.  The NAT statement is to allow their current and new (when it goes in to prod) guest wireless to reach their Citrix server.  Well, since they are using ISE, the guest wireless clients need to be able to resolve the hostname of the ISE server in the web redirect.  I know you can set ISE to use the IP address, but that will give them cert errors and that's a no-no.  

 

When I test DNS resolution using the internal DNS servers from the guest wireless, it fails with DNS inspection enabled.  When DNS inspection is off, it works fine.  Is there any sort of workaround for this or is it just not going to work?

 

TIA,

 

Dan

5 REPLIES 5
Highlighted
Advisor

What is doing the DNS inspection?

Highlighted

FTD appliance that is managed by FMC.  Running 6.2.2 on both.

Highlighted

It almost smells like a bug.  I'm not sure of the merit, but I see there is 6.2.2.1.

 

There is one DNS bug listed as fixed but it doesn't sound related.

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/622x/relnotes/Firepower_Relase_Notes_622x/Firepower_Relase_Notes_622x_chapter_01001.html

Highlighted

So you are saying that even with DNS inspection enabled that I should be able to reach internal DNS servers from the DMZ?  I was getting this error when testing:

 

inspect-dns-invalid-pak

 

Only fix I could find was to disable DNS inspection.

Highlighted

I do packet tracers of UDP port 53, dns and on our FTD it will show allow then randomly it will show being blocked with same error.  Strange!    Inspect DNS is enabled,  but why does it allow then not allow?

 

Drop-reason: (inspect-dns-invalid-pak) DNS Inspect invalid packet, Drop-location: frame 0x000055fba58abf01 flow (NA)/NA

 

using

Model : Cisco Firepower 4115 Threat Defense (76) Version 6.6.0 (Build 90)

 

Content for Community-Ad