Thanks, this is making sense with my intermittent issues. I did some digging and the vlan that the server is on has a static route configured for the DNS server on a different subnet and that other subnet is using the L3 switch to reply going around the Meraki. Unfortunately to fix this there will probably be down time while I cut over the vlan from the L3 switch to the firewall. I was hoping I could build the vlan with a different gateway, trunk the vlan to the meraki, cut over the gateway on the DNS servers from the core, remove the static route. but it wont let me build the new vlan because it overlaps with the static route (as expected) I will just wait for after hours and make the changes probably. ... View more

same result, it is live so I had to roll it back but I am testing now using allow rules and logging to the syslog server first rule is the group 2nd is just the fqdn  3rd is the IP strange thing is that it logs just 2 times for the allow rule on the first one and then nothing, although I see more traffic when I look at the flow so the DNS is resolving. ... View more

it works if I remove the deny L3 rule for the server, so its more like the meraki is having issues with the DNS name ... View more