I've noticed an anomaly.
When I was troubleshooting this on Friday, "show firewall dns-names" included the name of my test pc and showed it was in use, but did not list an IP address. There was no problem with the controller resolving the name, as I could ping the hostname.
When I put the entry back in over the weekend and ran the same command, suddenly the address is there, so I thought that was my mistake and I'd missed it previously. I was wrong.
Came into the office this morning, and with the resolved IP listed in the firewall dns-names it's working as expected.
I've removed the entry, saved, verified it's gone from the local controller, re-added, saved, verified it's there.... and look. no worky.
However, if I ping the hostname - to check the name resolves correctly, it's then resolved in the firewall.
(Arubal2) #show firewall dns-names | include netpc
netpc002.york.ac.uk 98 1
(Arubal2) #ping netpc002.york.ac.uk
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 144.32.226.185, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.214/0.2648/0.386 ms
(Arubal2) #show firewall dns-names | include netpc
netpc002.york.ac.uk 98 1 144.32.226.185
I've verified this behaviour with all the hostnames I've added to this netdestination. Left to its own devices the firewall does not resolve the name, but once I ping the host from that controller it works.
My conclusion from this is there's no problem with the policy. That works just fine, but there is a problem with the firewall not resolving the name.
This feels like a bug to me.