DNS through FTD diagnostic

elemzy · ‎11-14-2022

Has anyone gotten DNS to work over the diagnostic interface on FTD version 6.6.5?

Gone through the steps, but FTD will not resolve names configured in policies via the diagnostic interface. I don't want to use the data interfaces as they are isolated from the rest of my network.

urathod · ‎04-03-2023

It is possible to get DNS to work over the diagnostic interface on FTD version 6.6.5, but there are some configuration steps that need to be followed.

First, ensure that the diagnostic interface is properly configured with an IP address and subnet mask. Next, configure the DNS server on the FTD device by using the "configure network dns" command in the CLI. Make sure that the DNS server IP address is reachable from the diagnostic interface.

If you have already configured the DNS server, but it is still not resolving names via the diagnostic interface, there may be an issue with the DNS server itself or with the routing configuration on the FTD device. Check the DNS server logs for any errors or issues, and ensure that the FTD device is properly configured with the correct routes to reach the DNS server.

If you do not want to use the data interfaces and prefer to use the diagnostic interface for DNS resolution, you can configure policies to allow DNS traffic over the diagnostic interface. To do this, create an access control policy that allows DNS traffic (UDP port 53) from the diagnostic interface to the DNS server. Make sure that this policy is properly configured and enabled.

If you have followed these steps and are still experiencing issues with DNS over the diagnostic interface, it may be helpful to consult the Cisco documentation or open a support case with Cisco for further assistance.

tvotna · ‎04-04-2023

Just wondering what's the relationship between "configure network dns" CLI, which sets DNS IP on the management interface, and DNS server which is used by ACP and also Lina datapath when a FQDN needs to be resolved to process transit traffic (the corresponding FMC object generates "dns server-group" Lina CLI). Please explain.

urathod · ‎04-04-2023

The "configure network dns" CLI command is used to configure the DNS server that the device uses for name resolution when it needs to resolve hostnames to IP addresses for its own management purposes, such as resolving the FQDN of a remote server during software updates or establishing VPN connections. This command sets the DNS server IP address on the device's management interface.

On the other hand, the DNS server used by the Firepower Threat Defense (FTD) device for the processing of transit traffic, such as inspecting URLs in HTTP traffic or resolving domain names in DNS traffic, is configured through the DNS server group object in the Firepower Management Center (FMC) and propagated to the FTD device through its policy configuration.

The DNS server group object in the FMC allows you to specify one or more DNS servers that the FTD device should use for name resolution when processing transit traffic. You can create a DNS server group object in the FMC and add one or more DNS server IP addresses to it. When you configure a policy on the FMC, you can specify this DNS server group object as the DNS server to be used by the FTD device for name resolution during transit traffic processing.

So, while the "configure network dns" CLI command sets the DNS server for the device's management interface, the DNS server group object in the FMC is used to configure the DNS servers that the FTD device uses for name resolution during transit traffic processing.

tiwang · ‎12-19-2023

i have this problem also - on FTD's running 6.6.1 - 6.6.5 and 7.0.0. I get the error "DNS: DNS not enabled on Interface vPifNum=xx"

We have added interfaces as either interfaces objects or security objects to the device policy - but no difference. When i define a interface object should it then be of type "interface" or "security" - and - can an Interface belong to more objects when defining interface objects?