Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1415
Views
5
Helpful
7
Replies

Cisco ESA DNS priority

ccna_security
Level 3
Level 3

‎07-16-2019 11:08 PM

HI. Could you please tell me why cisco recommends to change DNS priority to 0? I have 4 DNS server that ordered 0,1,2,3 but cisco docummentation recommends to change all to 0. why?

Labels:
0 Helpful
7 Replies 7

dmccabej
Cisco Employee
Cisco Employee

‎07-17-2019 08:21 AM - edited ‎07-17-2019 08:24 AM

Hello,

 

When you set all or multiple priorities to 0 it then attempts to balance the load of DNS requests in a round-robin type fashion. If you have maybe 1 or 2 ESA/s and a small volume of traffic, setting them as 0,1,2,3 or even 0,0,1,1 may not be that bad, but, when dealing with larger deployments you're going to want to make sure the DNS requests are balanced out as evenly as possible. The ESA relies heavily on DNS.

 

Keep in mind, this is also subjective to the number of resources available to your DNS server(s) and how well they respond to a large number of requests. Along with your network, Etc, Etc. So, your mileage may vary.

 

Thanks!

-Dennis M.

0 Helpful

ccna_security
Level 3
Level 3
In response to dmccabej

‎07-17-2019 09:44 PM

Hello Dennis

 

We only have one virtual esa and 4 dns server including google dns. Is it ok to configure all dns priority (4 dns 0,1,2,3) to 0?

0 Helpful

PankajSharma1807
Level 1
Level 1
In response to ccna_security

‎07-18-2019 07:37 AM

Hi,

 

Basically, it's up to you what kind of load balancing you want. If all DNS are having same priority i.e. 0 then request can go to any of the DNS servers on round robin fashion whereas if you want the google DNS to be first DNS server to serve all the requests and your own DNS servers to be second then you can use priority 0 for google and 1,2 ..etc for your own servers.

0 Helpful

ccna_security
Level 3
Level 3
In response to PankajSharma1807

‎07-18-2019 09:22 AM

Hi, 

What does round bobin fashion mean? 

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to ccna_security

‎07-18-2019 10:46 AM

Hello,

 

Quite a few things you can find out on the Internet for DNS round-robin, but, if you're looking for ESA AsyncOS specific details then we also have some information within the user guide(s) for how the priorities work and how the servers are queried.

 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-5/user_guide/b_ESA_Admin_Guide_12_5/b_ESA_Admin_Guide_12_1_chapter_0100010.html#con_1145602

 

Thanks!

-Dennis M.

ccna_security
Level 3
Level 3
In response to dmccabej

‎07-18-2019 11:12 PM

Thanks Dennis

0 Helpful

PankajSharma1807
Level 1
Level 1
In response to ccna_security

‎07-19-2019 12:16 AM

Sorry typo it's DNS round-robin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents