Meraki

Community

FQDN Policy object does not seem to be working

Solved
DarrenH
Here to help
‎Jan 4 2023 9:23 AM
‎Jan 4 2023 9:23 AM

FQDN Policy object does not seem to be working

So I have a policy object group that contains 2 domains (*.vendor.com,*.vendor.net) this group is linked to an allow L3 firewall rule.

 

I have a server that requires access to prod1.vendor.net attached to the allow, rule but the rule does not seem to be taking effect as in my syslog server I see deny hits and it is the IP address of prod1.vendor.net, what is the process that Meraki uses to resolve DNS names to the wildcard rules, other rules work just fine that use wild cards but this one does not. I have re created the rule and still have issues.

0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 4 2023 11:50 AM
‎Jan 4 2023 11:50 AM

Note that the FQDN rules work by intercepting DNS queries for the domain.

 

If you access the domain, so it is cached on the machine, then create a rule - it won't take effect because your machine won't perform another DNS query that the MX can see till your existing cached entry has expired.

You may need to flush your DNS cache when creating new rules to make them take affect immediately.

 

Some DNS entries have very short TTLs, like 10s.  Rules using these often don't work, or work poorly.

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 4 2023 9:30 AM
‎Jan 4 2023 9:30 AM

Have you tried to allow on Content filtering?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
DarrenH
Here to help
‎Jan 4 2023 9:33 AM
‎Jan 4 2023 9:33 AM

it works if I remove the deny L3 rule for the server, so its more like the meraki is having issues with the DNS name

0 Kudos
In response to DarrenH
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 4 2023 9:38 AM
‎Jan 4 2023 9:38 AM

Probably your rule is configured wrong, or some ports were not allowed.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to DarrenH
ww
Kind of a big deal
Kind of a big deal
‎Jan 4 2023 9:45 AM
‎Jan 4 2023 9:45 AM

Does it work if you just put in the fqdn in the fw rules?

0 Kudos
In response to ww
DarrenH
Here to help
‎Jan 4 2023 10:21 AM
‎Jan 4 2023 10:21 AM

same result, it is live so I had to roll it back but I am testing now using allow rules and logging to the syslog server

first rule is the group

2nd is just the fqdn 

3rd is the IP

strange thing is that it logs just 2 times for the allow rule on the first one and then nothing, although I see more traffic when I look at the flow so the DNS is resolving.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 4 2023 11:50 AM
‎Jan 4 2023 11:50 AM

Note that the FQDN rules work by intercepting DNS queries for the domain.

 

If you access the domain, so it is cached on the machine, then create a rule - it won't take effect because your machine won't perform another DNS query that the MX can see till your existing cached entry has expired.

You may need to flush your DNS cache when creating new rules to make them take affect immediately.

 

Some DNS entries have very short TTLs, like 10s.  Rules using these often don't work, or work poorly.

In response to PhilipDAth
DarrenH
Here to help
‎Jan 4 2023 12:07 PM
‎Jan 4 2023 12:07 PM

Thanks, this is making sense with my intermittent issues. I did some digging and the vlan that the server is on has a static route configured for the DNS server on a different subnet and that other subnet is using the L3 switch to reply going around the Meraki. Unfortunately to fix this there will probably be down time while I cut over the vlan from the L3 switch to the firewall. I was hoping I could build the vlan with a different gateway, trunk the vlan to the meraki, cut over the gateway on the DNS servers from the core, remove the static route. but it wont let me build the new vlan because it overlaps with the static route (as expected) I will just wait for after hours and make the changes probably.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.