I would suggest to have an ACL not relying on the guest IP address ranges. For example,
Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------
1 In 0.0.0.0/0.0.0.0 10.1.100.21/255.255.255.255 Any 0-65535 0-65535 Any Permit 0
2 Out 10.1.100.21/255.255.255.255 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Permit 0
3 In 0.0.0.0/0.0.0.0 10.1.100.10/255.255.255.255 17 0-65535 53-53 Any Permit 0
4 Out 10.1.100.10/255.255.255.255 0.0.0.0/0.0.0.0 17 53-53 0-65535 Any Permit 0
5 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 1 0-65535 0-65535 Any Permit 0
6 Any 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Any 0-65535 0-65535 Any Deny 0
where 10.1.100.21 is the ISE IP address and 10.1.100.10 is the DNS IP address.