Field Guide

DNS resolution fails only on branch VLANs after firewall policy migration.

This guide is for incidents where headquarters and data center lookups still succeed, but remote VLANs or branch segments begin timing out or returning inconsistent answers after firewall rule changes, policy reordering, or uplink redesign.

Search Similar IssuesOpen Networking Domain
Situation

Why this failure pattern matters.

Branch-only DNS failures usually point to path-specific policy behavior, not global resolver failure. The important question is whether traffic is being blocked, translated incorrectly, routed asymmetrically, or sent to a different recursive path than expected.

What To Verify

Check path, resolver, and policy in that order.

  • Which DNS server the failing clients actually target from the affected VLAN.
  • Whether UDP and TCP 53 both survive the new policy path.
  • Whether source NAT, policy objects, or zone mapping changed during migration.
  • Whether return traffic follows the same path back or exits through another interface.
  • Whether branch devices use different search domains, forwarders, or DHCP-scoped DNS settings.
Working Sequence

Use a narrow test path before broad rollback.

  • Test the same query from a healthy core subnet and from the failing branch VLAN.
  • Validate destination resolver IP, query type, timeout behavior, and whether fallback resolvers appear.
  • Compare firewall hit counters and policy ordering for the branch source network only.
  • If policy migration changed objects or address groups, verify membership and translation scope.
  • Restore reachability to a single recursive path first, then revisit optimization or cleanup.