Symptom
- FTD not resolving DNS through diagnostic interface and below debugs verify DNS is not forwarded via the diagnostic interface.
Debugs
======
firepower# debug dns all
DNS: get global group handle 5a39bf9
DNS: Resolve request for 'google.com' group
DNS: DNS is not Enabled on interface vPifNum=2 for nameserver ip=1 <<<<
Conditions
- FTD configured to resolve DNS through diagnostic interface
Workaround
Do not select any data interfaces in the DNS server group object and also do not select "Enable DNS Lookup via diagnostic interface also".
This will force the FTD to lookup the route for the DNS server(s) via the data interface VRF and when not available, fallback to the management VRF and send the DNS traffic properly. CLI example below:
dns domain-lookup any
DNS server-group
name-server
domain-name
DNS server-group DefaultDNS
dns-group dns_group
!
route diagnostic
*** Note: The above workaround will only work if there is no route(s) exist to the DNS server(s) via the data interface VRF (including default). ***
Further Problem Description
