08-15-2022 08:03 AM
Hi all
I'm inexperienced with networking/firewall/DNS, so please forgive me if I use the incorrect terms or if I don't make too much sense.
I work in a very small IT department and have been thrown in to managing the firewall.
I've found an error where we get 'user identity: DNS lookup for 'FQDN' failed, reason:Timeout or unresolvable'
I think this may be because we need to add a public DNS address and possibly enable DNS Lookup for more interfaces.
Would this be right?
08-15-2022 09:14 AM
https://www.petenetlive.com/KB/Article/0000969
check this link
08-15-2022 11:03 PM
What is the site that you are unable to resolve? and where does your current DNS configuration point to? If you log onto this DNS server is it able to resolve the FQDN that you are having issues with?
Adding more DNS entries to the ASA will not help much as it uses a top down first match logic, so if the first IP in the list of DNS servers is reachable it will chose that DNS server. A better solution would be to identify why your current DNS server is not able to resolve the FQDN and fix that problem on the DNS server.
08-16-2022 03:34 AM
it's an object in the asa that's mapped to a FQDN that is unresovleable...
object network FQDN_sitename.xxx
fqdn v4 sitename.xxx
if that object is in an access rule, the asa will query the site over and over and over and over.
need to remove the access rule and most likely the object...
08-16-2022 04:15 AM
What is your DNS configuration on your ASA? Does it point to an internal DNS server?
08-16-2022 05:22 AM
08-16-2022 07:40 AM
Thank you for your replies.
We are trying to reach public.dhe.ibm.com.
The DNS configured is our internal DNS server. I can't ping public.dhe.idm.com or it's ip address from the server.
08-16-2022 11:47 PM
Are you running ASA or FTD code on your ASA5516-X?
on the ASA's CLI issue the command show run dns and post the output here.
Go to the DNS server and open a command prompt and issue the command nslookup public.dhe.ibm.com and post the output here. If it does not return an IP for domain and your ASA does DNS lookup to that DNS server, then that is the problem. Either the ASA will need to use a different DNS server or you will need to add a DNS forwarder for the public.dhe.ibm.com domain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide