Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

enabling nslookups via rules - help

I can't do nslookups through our pix from my PC, what do I need to do?


Re: enabling nslookups via rules - help

What error are you getting?

Have you tried specifiying a specific DNS to query? Internal or external?

Have you tried "dig"? "dig" is not available on MS Windows, but can be downloaded. It is the "new nslookup" and gives more/better information.

Let us know


Community Member

Re: enabling nslookups via rules - help

sorry it's nslookups to external Internet addresses like Internal is fine, so I believe it must be a Pix rule I need to create?


Re: enabling nslookups via rules - help

It may be the configuration of your internal DNS.

By default, nslookup will use the DNS defined for that PC. IF that DNS doesn't have the record (either defined or cached), it should kick it up to the next level of DNS.

You can specify a specific DNS to use:

Commands: (identifiers are shown in uppercase, [] means optional)

NAME - print info about the host/domain NAME using default server

NAME1 NAME2 - as above, but use NAME2 as server

help or ? - print info on common commands

set OPTION - set an option

all - print options, current server and host

[no]debug - print debugging information

[no]d2 - print exhaustive debugging information

[no]defname - append domain name to each query

[no]recurse - ask for recursive answer to query

[no]search - use domain search list

[no]vc - always use a virtual circuit

domain=NAME - set default domain name to NAME

srchlist=N1[/N2/.../N6] - set domain to N1 and search list to N1,N2, etc.

root=NAME - set root server to NAME

retry=X - set number of retries to X

timeout=X - set initial time-out interval to X seconds

type=X - set query type (ex. A,ANY,CNAME,MX,NS,PTR,SOA,SRV)

querytype=X - same as type

class=X - set query class (ex. IN (Internet), ANY)

[no]msxfr - use MS fast zone transfer

ixfrver=X - current version to use in IXFR transfer request

server NAME - set default server to NAME, using current default server

lserver NAME - set default server to NAME, using initial server

finger [USER] - finger the optional NAME at the current default host

root - set current default server to the root

ls [opt] DOMAIN [> FILE] - list addresses in DOMAIN (optional: output to FILE)

-a - list canonical names and aliases

-d - list all records

-t TYPE - list records of the given type (e.g. A,CNAME,MX,NS,PTR etc.)

view FILE - sort an 'ls' output file and view it with pg

exit - exit the program

You can get the above list by just entering "nslookup" at the command prompt.

nslookup uses the same port(s) as DNS to get through the firewall, so if an external query (like works, nslookup should work too (unless specifically restricted to the internal DNS as a source address in some access-list).

Try using the DNS of your home ISP (or other DNS that exists outside of your network - use the "name2" option, like nslookup ).

Good Luck


Community Member

Re: enabling nslookups via rules - help

thing is I can resolve internet pages fine, if I do ping it comes back with the IP, but nslookup won't, just isn't my area of knowledge here.

CreatePlease to create content