Re: FMC/FTD DNS inspection issues

deyster94 · ‎01-19-2018

To all:

I am trying to configure FMC/FTD to use my clients internal DNS servers for guest wireless. The interface for the guest wireless hangs off the FTD appliance and I have the policy built in FMC to allow DNS traffic from the guest wireless network inbound and vice versa. However, in the one location, they must have DNS inspection for one NAT statement that requires DNS doctoring. If I disable DNS inspection, they can reach the internal DNS servers. Otherwise, it fails with the following drop-reason:

(inspect-dns-invalid-pak) DNS Inspect invalid packet

I can't figure out how to get around this problem in FTD.

TIA for any ideas,

Dan

nathan40 · ‎06-30-2018

Did you ever figure this out? I am having trouble even disabling inspection of DNS. Did you use the flexconfig to disable inspection?

WeedyNaana2308 · ‎02-23-2021

I am not sure if this still a problem, but have you looked at creating a FlexConfig to not inspect DNS traffic? If this what you are after?

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/fdm/fptd-fdm-config-guide-623/fptd-fdm-advanced.html#concept_53C22C306B57480D99DB905E90D5FDC9

We are looking at doing something similar for Cisco Umbrella as DNS traffic cannot be inspected due to encryption to the Cisco Umbrella Cloud.

Jack G · ‎12-08-2021

Did the flexconfig resolve your encrypted DNS traffic to Umbrella issue?