Solved: WLC 9800-CL attempting to get to 8.8.4.4 and our firewall is blocking - Cisco Community

1009

Views

1

Helpful

11

Replies

I have looked through the CLI and no ACLs are configured using 8.8.4.4. DNS is disabled everywhere that I can see. Why is the controller still trying to get to google and where can it be stopped?

1 Accepted Solution

Accepted Solutions

8.8.4.4 didn't show in the configuration. As for a packet capture, the firewall engineer saw the packet attempting to get through to that DNS. We tried something and it seemed to work, our local DNS IP's were added and it seems that it stopped the DNS traffic to Google. Is there a default that is set to 8.8.4.4 when no other DNS has been entered?

View solution in original post

11 Replies 11

sorry more detail please

MHM

Our firewall is blocking traffic from the IP of the controller as it is trying to get to 8.8.4.4. DNS is disabled everywhere as far as I know and there are no acl's shown in the CLI. Is there anything set to a default that it would go out to Google 8.8.4.4?

- For a complete check of the controller's configuration on this; issue : show running-config all | inc 8.8 (e.g.)
If not found you will have to make a packet capture on these and examine the content , or examine the protocol used first (like icmp or a real DNS lookup)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

8.8.4.4 didn't show in the configuration. As for a packet capture, the firewall engineer saw the packet attempting to get through to that DNS. We tried something and it seemed to work, our local DNS IP's were added and it seems that it stopped the DNS traffic to Google. Is there a default that is set to 8.8.4.4 when no other DNS has been entered?

>..... Is there a default that is set to 8.8.4.4 when no other DNS has been entered?
- There isn't , you also need to look at your overall DNS architecture on the intranet such as the use of forwarders for instance, and the firewall configuration for DNS (automatic redirects?) , so that perhaps it was only 'virtually' coming from the controller (e.g.)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

- As far as packet capture is concerned also have an in-depth check of source and destination (e.g.)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

- Another thing I forgot to mention is some kind of default dns serving on the hypervisor environment where the 9800-cl is installed on ; here is an example : https://blogs.vmware.com/vsphere/2017/01/basic-network-configuration-with-vsphere-integrated-containers-engine.html
>...By default when you set a static IP for the VCH, the VCH uses Google Public DNS servers 8.8.8.8 and 8.8.4.4. To specify your own DNS servers, use the –dns-server option when creating the VCH.

Probably this is not connected to your case ; but I just wanted to point this possibility out ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

>...our local DNS IP's were added and it seems that it stopped the DNS traffic
- For what it's worth : I have been doing some tests on this with a 9800 cloud controller on EVE-NG (an emulator environment)
It turns out that if no DNS servers are configured in the running configuration then the controller will forward the DNS requests
to the default gateway address it has obtained for the administrative management ip address (the one used for SSH and GUI access)
(=FYI)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

We do not have VMware Host Containers (VHC) configured, and do not use containers in any fashion. All of our hosts and other components within the vSphere environment are STIG compliant and are configured to use internal DNS systems. None of the DNS information in use by the hosts or other vSphere assets are shared with any of the virtual machines in any capacity.

- Ok as I said that was only an example :
look at the other items I mentioned too : full packet inspection
review of the overall DNS architecture

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

From our server engineer:

there are no inherited DNS settings for VMs. The only thing a VM inherits from a host is time, and not even an NTP configuration, the time is sent as a replacement for the CMOS BIOS clock that would be present in the hardware BIOS of a physical machine.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card