cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

777
Views
0
Helpful
4
Replies
Martin_Bielik
Beginner

ISE 2.6 dual DNS

We would like to use 2 DNS servers in ISE 2.6 First for resolution of ISE personas, DNAC and network services (like Backup, LDAP, NTP,...). Second for resolution of Active Directory, network authentication devices and endpoints. Is this somehow possible in ISE ?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

 

   If you want AD integration and you want it to work, all DNS servers configured in ISE need to respond for relevant AD queries, thus need to be DNS servers members of your AD scheme. This is NOT an ISE restriction, ISE just conforms with AD Restrictions Options:

         1. configure your internal DNS servers in ISE for AD integration (firewall rule to allow ISE speak DNS with internal DNS server), and for ISE to resolve public FQDN, you configure your internal DNS server as a forwarder towards your DMZ internal server (this should already be done if you don't have a proxy for user Internet access, as some DNS server needs to resolve Internet resources).

         2. Deploy a read-only Domain Controller in DMZ, use it as DNS server, and point ISE towards this DNS server, which in turn is used to forward Internet FQDN resolution to your other DNS server from DMZ; this way you never expose the read-only DC to the internet, neither inbound, neither outbound; even though it's more secure by design, being read-only, you still don't expose it to the Internet.

 

Regards,
Cristian Matei.

View solution in original post

4 REPLIES 4
NiTech
Beginner

I think it's possible.

ISE will support multi domain .
Cristian Matei
VIP Collaborator

Hi,

 

   Your best and only call would be to have 2 or more DNS servers, which actually are DNS servers members of your Active Directory, and those DNS servers need to be able to resolve everything, either directly (for AD resources), either by forwarding the request to another DNS server which resolves public resources. 

   Is there a specific reason for you wanting to "separate" the DNS queries, like AD based DNS queries, and other DNS based queries? 

 

Regards,

Cristian Matei.

   

Our plan is to have ISE, DNAC and network services in DMZ with dedicated DNS server and our AD (with intergrated DNS) is in "office" network. These 2 DNS servers are not linked for security reasons.

 

So you mean, that only solution is to set our DMZ DNS server as DNS server in ISE and on DMZ DNS server setup some kind of conditional forwarder, that if ISE want to resolve DNS name from AD, DMZ DNS server will forward this request to our "office" DNS (AD) ?

Hi,

 

   If you want AD integration and you want it to work, all DNS servers configured in ISE need to respond for relevant AD queries, thus need to be DNS servers members of your AD scheme. This is NOT an ISE restriction, ISE just conforms with AD Restrictions Options:

         1. configure your internal DNS servers in ISE for AD integration (firewall rule to allow ISE speak DNS with internal DNS server), and for ISE to resolve public FQDN, you configure your internal DNS server as a forwarder towards your DMZ internal server (this should already be done if you don't have a proxy for user Internet access, as some DNS server needs to resolve Internet resources).

         2. Deploy a read-only Domain Controller in DMZ, use it as DNS server, and point ISE towards this DNS server, which in turn is used to forward Internet FQDN resolution to your other DNS server from DMZ; this way you never expose the read-only DC to the internet, neither inbound, neither outbound; even though it's more secure by design, being read-only, you still don't expose it to the Internet.

 

Regards,
Cristian Matei.

View solution in original post

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel