topic Re: Reverse DNS with Context Visibility in Network Access Control

Reverse DNS with Context Visibility

Thomas Wall — Thu, 25 Jan 2018 20:03:16 GMT

Team,

I have a customer that has installed multiple distributed ISE deployments across the nation. Each deployment contains nodes from several different states and my customer has strong concerns with configuring reverse DNS pointer records across their nationwide infrastructure which includes many separate subnets. All total, there are 270 nodes. Configuring Reverse DNS is recommended in the in ISE admin guides but without configuring it, there does not seem to be an impact to normal RADIUS authentications, replication between nodes or joining nodes to the deployment. However, if we try to examine endpoints or devices under the context visibility menu of 2.2 patch 5, we receive the following error.

Unable to load Context Visibility page. Ensure that reverse DNS lookup is configured for all Cisco ISE nodes in your distributed deployment in the DNS server. Exception: blocked by: [SERVICE_UNAVAILABLE/1/state not recovered / initialized];

We further document the need for reverse DNS in the release notes: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/release_notes/ise22_rn.html#pgfId-700468.

Additionally, I understand that elastic search needs reverse DNS configured for each host in the deployment in order to work properly but do we have any enhancements on the roadmap whereby we won't rely on reverse DNS? Are there any other solutions apart from configuring reverse DNS?

Thank you,

Thomas

Re: Reverse DNS with Context Visibility

hslai — Fri, 26 Jan 2018 01:26:20 GMT

You may go ahead and file one, if you like. Please discuss any roadmap items directly with our PM team.

Re: Reverse DNS with Context Visibility

Thomas Wall — Fri, 26 Jan 2018 16:34:33 GMT

Thank you, are you aware of any solutions outside of configuring reverse DNS pointer records?

Re: Reverse DNS with Context Visibility

hslai — Fri, 26 Jan 2018 16:45:13 GMT

The current implementation mandates DNS PTR records for the ISE admin nodes for the underlying data store of context visibility. There is no other way around for ISE deployments with two PANs.

Perhaps, you may limit the resolution for the DNS servers used by the two PANs.

Re: Reverse DNS with Context Visibility

Thomas Wall — Fri, 26 Jan 2018 17:52:43 GMT

Thank you for your inputs and speedy replies. I will reach out to the ISE PM team.

Re: Reverse DNS with Context Visibility

Radwan3000 — Thu, 09 Jun 2022 12:07:37 GMT

Hi !!
I came across you post to find out to configure reverse DNS pointer ... my question is probably irrelevant to your post, but seriously how to configure a reverse DNS ? is it the same for " ip name-server x.x.x.x" ?? Im trying to do it from CLI and I can see its already working

ISE01/admin# nslookup MYPC1.MYDOMAIN.LOCAL
Trying "MYPC1.MYDOMAIN.LOCAL"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15412
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;MYPC1.MYDOMAIN.LOCAL. IN ANY

;; ANSWER SECTION:
MYPC1.MYDOMAIN.LOCAL. 1200 IN A 10.155.20.56

Received 55 bytes from 10.150.0.11#53 in 5 ms

ISE01/admin#

ISE01/admin# nslookup 10.155.20.56
Trying "56.20.155.10.in-addr.arpa"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35360
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;56.20.155.10.in-addr.arpa. IN PTR

;; ANSWER SECTION:
56.20.155.10.in-addr.arpa. 900 IN PTR

ISE01/admin# nslookup 10.155.20.56
Trying "56.20.155.10.in-addr.arpa"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35360
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;56.20.155.10.in-addr.arpa. IN PTR

;; ANSWER SECTION:
56.20.155.10.in-addr.arpa. 900 IN PTR MYPC1.MYDOMAIN.LOCAL.

Received 78 bytes from 10.150.0.11#53 in 6 ms

ISE01/admin#

Received 78 bytes from 10.150.0.11#53 in 6 ms

ISE01/admin#