A versão em Inglês deste Artigo se encontra em: ISE - What we need to know about DNS Server .
 |
Para obter uma cópia off-line ou impressa deste documento, basta escolher ⋮ Opções > Página Amigável para Impressora. Você pode então Imprimir > Imprimir em PDF ou Copiar & Colar em qualquer outro formato de documento de sua preferência. |
Introdução
A configuração do DNS Server no Cisco ISE ocorre através do comando ip name-server que deve ser realizado em cada ISE Node e somente via CLI, características:
- suporta até 3x DNS Servers
- no formato IPv4 ou IPv6
- UDP/53, TCP/53 (Cisco ISE Ports Reference)
ise/admin# configure terminal
Entering configuration mode terminal
ise/admin(config)# ip name-server ?
Description: Specify address of name server(s) to use
Possible completions:
<A.B.C.D>|<valid IPv6 format> Primary DNS server address
<A.B.C.D>|<valid IPv6 format> DNS server 2 IP address
<A.B.C.D>|<valid IPv6 format> DNS server 3 IP address
NSLookup
Antes de configurar um novo DNS Server, é recomendado testá-lo com o comando nslookup:
ise/admin# nslookup cisco.com name-server <New DNS Server IP Addr>
Trying "cisco.com"
Using domain server:
Name: <New DNS Server IP Addr>
Address: <New DNS Server IP Addr>#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53012
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 6
;; QUESTION SECTION:
;cisco.com. IN ANY
;; ANSWER SECTION:
cisco.com. 384 IN NS ns2.cisco.com.
cisco.com. 384 IN NS ns1.cisco.com.
cisco.com. 384 IN NS ns3.cisco.com.
;; ADDITIONAL SECTION:
ns2.cisco.com. 61154 IN A 64.102.255.44
ns2.cisco.com. 6494 IN AAAA 2001:420:2041:5000::a
ns1.cisco.com. 29124 IN A 72.163.5.201
ns1.cisco.com. 27324 IN AAAA 2001:420:1101:6::a
ns3.cisco.com. 61154 IN A 173.37.146.41
ns3.cisco.com. 61154 IN AAAA 2001:420:1201:7::a
Received 213 bytes from 10.123.48.21#53 in 1 ms
Configuração
IP Name-Server
Cada alteração (inclusão ou exclusão) utilizando o comando ip name-server causa a reinicialização do ISE Service:
ise/admin(config)# [no] ip name-server <New DNS IP Addr>
DNS Server was modified. If you modified this setting for AD connectivity, you must restart ISE
for the change to take effect. Also note for ISE connectivity to AD, ensure all configured DNS
servers can resolve all relevant AD DNS records. If this is not the case and current AD join
points may not resolve under new DNS settings then it is recommended to manually perform leave and rejoin.
Do you want to restart ISE now?
Proceed? [yes,no] yes
Stopping Workload Connector Service...
Stopping Protocols Engine...
Stopping ISE Monitoring & Troubleshooting Log Processor...
PassiveID WMI Service is disabled
PassiveID Syslog Service is disabled
PassiveID API Service is disabled
PassiveID Agent Service is disabled
PassiveID Endpoint Service is disabled
PassiveID SPAN Service is disabled
Stopping ISE Application Server...
Stopping ISE Process Monitoring Service...
Stopping ISE Certificate Authority Service...
Stopping ISE EST Service...
ISE Sxp Engine Service is disabled
Stopping TC-NAC Service ...
VA Service is not running
ISE VA Database is not running
Segmentation Policy Service is disabled
REST Auth Service is disabled
Stopping ISE Messaging Service...
Stopping ISE API Gateway Service...
Stopping edda-url-fetcher-service Service...
Stopping edda-url-push-service Service...
Stopping ISE API Gateway Database Service...
Stopping ISE Profiler Database...
Stopping ISE Elasticsearch Service...
Stopping ISE Monitoring & Troubleshooting Session Database...
Stopping ISE AD Connector...
Stopping ISE Database processes...
Stopping ISE Prometheus Service...
Stopping ISE Prometheus Exporter...
Stopping ISE Grafana Service...
Stopping ISE MNT LogAnalytics Elasticsearch Service...
Stopping ISE Logstash Service...
Stopping ISE Kibana Service...
Stopping ISE Native IPSec Service...
Stopping ISE Prometheus Alertmanager Service...
Verified signature of integritycheck.sums file with Swims release key
Stopping ISE Database processes...
Starting ISE Monitoring & Troubleshooting Session Database...
Starting ISE Application Server...
Heap size greater than 20GB : 25199260672 Bytes
Starting ISE Process Monitoring Service...
Starting ISE Profiler Database...
Starting ISE Messaging Service...
Starting ISE Native IPSec Service...
Starting ISE API Gateway Database Service...
Starting ISE API Gateway Service...
Starting ISE Elasticsearch Service...
Starting ISE MNT LogAnalytics Elasticsearch Service...
Starting ISE Logstash Service...
Starting ISE Kibana Service...
Starting ISE Prometheus Exporter...
Starting ISE Prometheus Service...
Starting ISE Grafana Service...
Starting ISE Certificate Authority Service...
NSS database for CA Service is ready
Starting ISE Monitoring & Troubleshooting Log Processor...
ISE EST service is already running, PID: <PID Number>
Starting ISE AD Connector...
Starting edda-url-fetcher-service Service...
Starting edda-url-push-service Service...
Starting ISE Prometheus Alertmanager Service...
Note: ISE Processes are initializing. Use 'show application status ise'
CLI to verify all processes are in running state.
ise/admin# show application status ise
ISE PROCESS NAME STATE PROCESS ID
---------------------------------------------
...
Application Server initializing
...
Nota 1: o comando reset-config (um comando que SOMENTE pode ser executado na Console Port) redefine as configurações do ADE-OS, como Hostname, IP Addr, Mask, Def. Gateway, Domain Name, DNS Server, NTP Server e Timezone (parâmetros solicitados durante o Setup do Cisco ISE), e pode ser utilizado para reconfigurar diversos parâmetros com apenas uma única reinicialização do ISE Service. Este comando não solicita a senha de Admin do CLI, como também não "reseta" os Dados de Configuration ou Operation do Cisco ISE (realizado pelo comando application reset-config).
ise/admin# reset-config
% WARNING: This option will allow you to reset all networking settings, hostname,
% domain name, NTP servers and the timezone. Updating the hostname will cause
% any certificate using the old hostname to become invalid. A new self-signed
% certificate using the new hostname will be generated now for use with HTTPS/
% EAP. If CA-signed certs were used on this node, please import the new ones
% with the correct hostname. In addition, if the node is part of an AD domain,
% please delete any AD memberships before proceeding.
%
% All services will be restarted upon completion.
Are you sure you want to continue? (yes/no) [yes] ?
Enter hostname[<Hostname>]:
Enter IP address[<IP Addr>]:
Enter IP netmask[<Mask>]:
Enter IP default gateway[<Def. Gateway>]:
Enter default DNS domain[<Domain Name>]:
Enter primary nameserver[<DNS Server>]:
Add secondary nameserver? Y/N [N]:
Enter NTP server[<NTP Server>]:
Add another NTP server? Y/N [N]:
Enter system timezone [<Timezone>]:
Continue with the changes? Y/N [Y]:
Application services will get restarted. Do not use Ctrl-C from this point on...
Nota 2: importante ressaltar que alterar o Hostname torna inválido qualquer Certificado que use o Hostname antigo !!!
. O Cisco ISE é executado no Cisco Application Deployment Engine Operating System (ADE-OS), que é baseado no
Red Hat Enterprise Linux (RHEL). Para o Cisco ISE 3.4, o ADE-OS é baseado no RHEL 8.8.
IP Domain-Name
Para definir um Domain Name default que o Cisco ISE Server usa para completar Hostnames, use o comando ip domain-name:
ise/admin# configure terminal
Entering configuration mode terminal
ise/admin(config)# ip domain-name ?
Description: DNS search domain name
Possible completions:
<string, min: 2 chars, max: 253 chars>
Nota: atenção especial para
CSCwi56694 ISE 3.2+ has no input validation for ip domain-name in CLI
CSCwm59777 ip domain-name validation too strict, not accepting valid Domains
CSCwm00336 Domain name is not updating in the etc/hosts when bond is configured
CSCwe54931 System 360 not showing ISE Nodes w/ different DNS domain-name(s) than Primary ISE
PAN Automatic Failover
Algumas funcionalidades do Cisco ISE são afetadas pelo recurso de PAN Automatic Failover, alterações no DNS Server é uma delas, por isto é necessário remover a configuração de High Availability for Administrative Node antes da execução do comando ip name-server.
Fluxo
O Cisco ISE envia um DNS Query ao Primary DNS
Se não houver resposta do Primary DNS (tempo limite de 1 seg), então o Cisco ISE enviará um DNS Query ao Secondary DNS.
Se não houver resposta do Secondary DNS (tempo limite de 1 seg), então o Cisco ISE enviará um DNS Query ao Tertiary DNS.
Se houver resposta com um A (Address) Record válido, então o DNS Name Resolution será bem-sucedido.
Se houver resposta com um A (Address) Record inválido, então o DNS Name Resolution irá falhar sem que seja realizado o DNS Query no Secondary ou Tertiary DNS.
Nota 1: Reverse DNS é necessário para Cisco ISE Deployments, caso contrário, você poderá enfrentar vários problemas, tais como:
- Registering e Restarting Cisco ISE Nodes
- Degradação de Desempenho
Nota 2: CSCuj29194 Reverse DNS lookup requirement for ISE Nodes needs to be documented
DNS Cache
O Cisco ISE 2.7 P3 nos presenteou com um novo recurso: DNS Cache.
Os DNS Request para Hosts podem ser armazenados em Cache, reduzindo a carga no DNS Server:
ise/admin# configure terminal
Entering configuration mode terminal
ise/admin(config)# service cache enable hosts ttl ?
Possible completions:
<1-2147483647> Enter time to live in seconds for DNS cache[180]
ise/admin(config)# service cache enable hosts ttl 3600
Successfully restarted DNS cache with TTL config:3600
ise/admin(config)# no service cache enable hosts ttl
Successfully disabled DNS cache
Nota 1: no Cisco ISE 2.7 P3 não havia configuração default para TTL, o Cisco ISE 3.3+ introduziu o TTL default de 180 seg !!!
Nota 2: lembre-se que é intensa a utilização do DNS pelo Active Directory, ativar o DNS Cache em cada ISE Node é uma "best practice" !!!
Nota 3: atenção especial pra CSCwk63923 DNS cache timeout is not honored
