Symptom
After enabling the option "Send DNS queries from the diagnostics interface", FTD is still unable to use this interface to reach the DNS server.
The following debugs can be found when using "debug dns all" option
DNS: Lookup failed for CISCO.LOCAL
DNS: Resolve request for 'CISCO.LOCAL' group PRV-DNS-GROUP-Test
DNS: DNS is not Enabled on interface vPifNum=3 for nameserver ip=10.10.1.4
We can see that the diagnostics interface has the ID=3
show int management 1/1 detail
Control Point Interface States:
Interface number is 3
Interface config status is active
Interface state is active
DNS configuration
FTD01# show run dns
dns domain-lookup diagnostic
DNS server-group DefaultDNS
DNS server-group DNS-GROUP-Test
name-server 10.10.1.4
Conditions
- Diagnostics interface has been enabled to send DNS queries
- Management-only routing entry must be added for this to work if there is already an entry on the routing table for the same DNS server
- It only affects FTD as ASA has the capability to enable DNS queries per interface
Workaround
Use a data interface to reach the DNS server
For DNS Servers that have to be reached using a VPN tunnel from the same firewall, the following rules can be added to the crypto map:
Local Site:
permit ip FTD-IP DNS-Server-IP
Remote Site:
permit ip DNS-Server-IP FTD-IP
Being FTD-IP the IP used to tunnel the VPN traffic and DNS-Server-IP is the Remote Site DNS Server IP address.
Note that this won't affect the tunneled traffic as this will only encrypt data destined to the DNS server sourced from the firewall
Once that has been applied to the crypto maps, enable DNS queries on the FTD-IP at Platform Settings Policy.
Further Problem Description
