Firepower-DNS Not Resolving

SecurityJumbo · ‎05-06-2023

I have a FMC and HA FTD on HA mode version 7.3.1for both. The DNs server is connected via INSIDE interface only. The Firepower can ping the DNS server as shown below, but the DNS is failed. I configured the DNS and domainsearch. The DNS is not resolving through the INSIDE or OUTSIDE interfaces. The DNS is only resolving through the management interface when I use "ping system xxx" command. I believe there is something else I'm missing. Please can you check and let me know what you think.

ping 192.168.10.5
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to 192.168.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms
>
> ping lab.local

ping lab.local
^
ERROR: % Invalid Hostname
>
>
> ping cisco.com
Please use 'CTRL+C' to cancel/abort...

ping cisco.com
^
ERROR: % Invalid Hostname
>
> ping system cisco.com
PING cisco.com (72.163.4.185) 56(84) bytes of data.
64 bytes from redirect-ns.cisco.com (72.163.4.185): icmp_seq=1 ttl=238 time=21.4 ms
^C64 bytes from 72.163.4.185: icmp_seq=2 ttl=238 time=12.8 ms

--- cisco.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 5054ms
rtt min/avg/max/mdev = 12.811/17.087/21.363/4.276 ms
>
>
> show dns system
search lab.local
nameserver 192.168.10.5
nameserver 8.8.8.8
nameserver 2603:8080:6100:2984::1

>
> show network
===============[ System Information ]===============
Hostname : FTD1
Domains : lab.local
DNS Servers : 192.168.10.5
8.8.8.8
2603:8080:6100:2984::1
DNS from router : enabled
Management port : 8305
IPv4 Default route
Gateway : 192.168.1.1

======================[ eth0 ]======================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 50:00:00:11:00:00
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.1.201
Netmask : 255.255.255.0
Gateway : 192.168.1.1
----------------------[ IPv6 ]----------------------
Configuration : Disabled

===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled

MHM Cisco World · ‎05-06-2023

ping cisco.com but there is default domain lab.local

So

Ping cisco whiutout add domain

SecurityJumbo · ‎05-07-2023

@MHM Cisco World Not sure what you mean. The DNS is not resolving neither to the internal network or external network. I can ping any address through the data interfaces.

But the DNS is not working through the data interfaces (INSIDE or OUTSIDE). It is only working through the Management interface when I do (ping system www.google.com) or (ping system lab.local)

MHM Cisco World · ‎05-07-2023

Dns in firepower points

1-Firepower not support dns internal server (as I know until now)

2-firepower support dns through mgmt for update and license

3-firepower support dns through IN or Out for any acl use fqdn or remote access.

That I hope answer you

Thanks

MHM