FQDN Policy object does not seem to be working

Solved
DarrenH
Here to help

FQDN Policy object does not seem to be working

So I have a policy object group that contains 2 domains (*.vendor.com,*.vendor.net) this group is linked to an allow L3 firewall rule.

 

I have a server that requires access to prod1.vendor.net attached to the allow, rule but the rule does not seem to be taking effect as in my syslog server I see deny hits and it is the IP address of prod1.vendor.net, what is the process that Meraki uses to resolve DNS names to the wildcard rules, other rules work just fine that use wild cards but this one does not. I have re created the rule and still have issues.

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Note that the FQDN rules work by intercepting DNS queries for the domain.

 

If you access the domain, so it is cached on the machine, then create a rule - it won't take effect because your machine won't perform another DNS query that the MX can see till your existing cached entry has expired.

You may need to flush your DNS cache when creating new rules to make them take affect immediately.

 

Some DNS entries have very short TTLs, like 10s.  Rules using these often don't work, or work poorly.

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried to allow on Content filtering?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

it works if I remove the deny L3 rule for the server, so its more like the meraki is having issues with the DNS name

alemabrahao
Kind of a big deal
Kind of a big deal

Probably your rule is configured wrong, or some ports were not allowed.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

Does it work if you just put in the fqdn in the fw rules?

DarrenH
Here to help

same result, it is live so I had to roll it back but I am testing now using allow rules and logging to the syslog server

first rule is the group

2nd is just the fqdn 

3rd is the IP

strange thing is that it logs just 2 times for the allow rule on the first one and then nothing, although I see more traffic when I look at the flow so the DNS is resolving.

PhilipDAth
Kind of a big deal
Kind of a big deal

Note that the FQDN rules work by intercepting DNS queries for the domain.

 

If you access the domain, so it is cached on the machine, then create a rule - it won't take effect because your machine won't perform another DNS query that the MX can see till your existing cached entry has expired.

You may need to flush your DNS cache when creating new rules to make them take affect immediately.

 

Some DNS entries have very short TTLs, like 10s.  Rules using these often don't work, or work poorly.

Thanks, this is making sense with my intermittent issues. I did some digging and the vlan that the server is on has a static route configured for the DNS server on a different subnet and that other subnet is using the L3 switch to reply going around the Meraki. Unfortunately to fix this there will probably be down time while I cut over the vlan from the L3 switch to the firewall. I was hoping I could build the vlan with a different gateway, trunk the vlan to the meraki, cut over the gateway on the DNS servers from the core, remove the static route. but it wont let me build the new vlan because it overlaps with the static route (as expected) I will just wait for after hours and make the changes probably.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels