Meraki Community

That is correct. I noted that one of Google's DNS IP addresses (8.8.8.8) was being trapped in my firewall for the management IP and wondering why it would even being trying to query Google since I set the DNS to my own DNS server. 

To bel clear, yes the management IP of the switch.

thanks for clearing that up.  Couple of things, have you connected to the local management page of the switch? Verify there that the switch has taken the new config.

secondly, why would you want your switch to use your internal dns?  We always use either Google dns or Cisco Umbrella.  What if your internal dns went down?

@DocB We use internal DNS for our switches, and do not see any requests to external DNS servers.  We are running firmwares 14.21-27, what are you using?

The version is MS 12.28.1.

According to the dashboard, this is up to date.

@DocB the currently available firmwares are:

12.28.1 from March, but actually a minor bugfix of 12.28 from August last year

14.27 from August

12.28.1 is listed as stable but misses many features and in my experience fixes that are in the 14.x release train.

14.27 is listed as a stable release candidate, which means a decent percentage of the installed base is running that train (14.x) but that it is still not a majority.

Updating may not fix your issue, but as all our MS225s are running 14.x and not sending DNS queries to Google, I cannot confirm if it is a configuration issue, firmware issue or other.

As @DarrenOC said, you might be best logging a ticket as they are pretty responsive and you have confirmed that the local status page indicates that the internal DNS is in use.  You could try a packet capture on the uplink port of the switch to confirm that you can see the DNS requests going to Google.

@cmr Sounds like firmware upgrade is a good bet. I will do that and see if I continue to see this traffic.

@cmr By the way, packet capture shows that is is ICMP Echo (ping). I assume it is verification of Internet connectivity but why Google and not Cisco since I already created firewall rules to allow Cisco

The MXs default to pinging 8.8.8.8 to verify connectivity, but I wasn't aware of the switches doing the same.  In the MXs you can change the behaviour via the dashboard to go elsewhere.  It would be interesting to see if it persists after upgrading to 14.27.

If i remember correctly  also ms is doing icmp on port 53 to google ip

After upgrade I am still see ICMP pings to Google. I guess I will open support ticket and see what they say.

I'm not sure this is the answer, but I think MSs use some of the uplink monitoring logic that MXs do.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo... 

One of those tests uses 8.8.8.8 to try and check connectivity.

Yes, it appears it is uplink monitoring and 8.8.8.8 is the primary uplink check. I am surprised though that there is not a setting on the uplink management page to set the IP manually or at least select Cisco as the primary uplink host to check since firewall exceptions need to be made for Cisco Meraki management regardless. The less rules I have to manage the better. For the moment, I have created and exception to allow ICMP between the switch and 8.8.8.8, but normally I deny that on the management network, so I have had to make a specific exception for one switch. 

I opened a ticket and will wait to see what the response is. Not holding my breath, but maybe Cisco will consider a firmware upgrade that provides a means to designate the uplink check to something other than Google.

Cisco support referred me to this link: . https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/Connection_Monitoring_for_WAN_Failo...

So yes in fact this is the expected behavior and there is no option to change it or specific a choice of IP addresses for the WAN connectivity test. It is interesting to note that with 8.8.8.8 dropped in my upstream firewall there is no failover attempt to use 209.206.55.10 or at least I see no ICMP traffic other than the attempts for 8.8.8.8, so the description of "209.206.55.10 or 8.8.8.8" must mean whichever IP Cisco decides to code in. I have also noticed that with 8.8.8.8 dropped, the Dashboard still shows the switch as Online, so I see no reason to open the firewall to allow ICMP to/from Google. 

Thanks for all your input

Yes, the uplink page of the local management shows the correct DNS (my servers). The uptime on my DNS cluster is 14 years (give or take). I have a well established cluster so I am not worried about my DNS servers being unavailable. If they are, I will have bigger issues than just this one switch. 

What is more concerning to me is that the switch is attempting to connect to a foreign DNS server after I set the DNS to my own network. It is bad enough to have to blow a whole in my management network to let this thing communicate with Cisco (a /20 network, wow) on top of that it is attempting to communicate to a foreign DNS. 

Please reach out to Meraki support for further assistance.