topic Re: ISE DNS & Syslog in Network Access Control

ISE DNS & Syslog

jlaw2@cisco.com — Thu, 17 May 2018 18:47:31 GMT

My customer has reported ISE making a DNS query every time it sends a syslog. Doesn't seem desirable behavior, is this normal behavior or should I request they open a TAC case?

It looks like ISE makes a DNS query for the syslog server prior to every syslog message. In our environment, it looks like that means a new DNS request every 0.1 seconds from each server. This is despite the DNS TTL for our syslog server being 900 seconds

We'd probably prefer ISE to respect the DNS TTL (or at least something resembling it).

Re: ISE DNS & Syslog

kvenkata1 — Thu, 17 May 2018 22:17:34 GMT

Hi John,

Let me do some research internally & respond to you. If the customer can't wait, please request them to open a TAC case.

- Krish

Re: ISE DNS & Syslog

kvenkata1 — Fri, 18 May 2018 15:57:26 GMT

Hi John,

I consulted the DNS RFC & it says resource record 'may be cached' (read it as optionally cached) for the TTL time interval. So even if ISE is not honoring TTL, it is not a standard violation.

Is it possible for your customer to try a couple of options - try a different DNS and/or add a static host entry to see if there is any change. If your customer wants to pursue this further, please request them to open a TAC case.

- Krish

Re: ISE DNS & Syslog

jlaw2@cisco.com — Thu, 24 May 2018 19:45:28 GMT

So you confirm that ISE performs a DNS query prior to sending each syslog message?

Re: ISE DNS & Syslog

stefan.tabell — Fri, 03 Jun 2022 12:18:27 GMT

I understand that you can configure ISE to keep a DNS cache using the command "service cache enable hosts ttl [ttl in seconds]". Trying this myself.

Re: ISE DNS & Syslog

Marcelo Morais — Fri, 03 Jun 2022 21:27:14 GMT

Hi @stefan.tabell ,

yes, but if I'm not mistake, this command (ise/admin(config)# service cache enable ...) is an option on ISE 2.7P3+.

Regards