cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1400
Views
0
Helpful
4
Replies

ISE 2.6 dual DNS

Martin_Bielik
Level 1
Level 1

We would like to use 2 DNS servers in ISE 2.6 First for resolution of ISE personas, DNAC and network services (like Backup, LDAP, NTP,...). Second for resolution of Active Directory, network authentication devices and endpoints. Is this somehow possible in ISE ?

1 Accepted Solution

Accepted Solutions

Hi,

 

   If you want AD integration and you want it to work, all DNS servers configured in ISE need to respond for relevant AD queries, thus need to be DNS servers members of your AD scheme. This is NOT an ISE restriction, ISE just conforms with AD Restrictions Options:

         1. configure your internal DNS servers in ISE for AD integration (firewall rule to allow ISE speak DNS with internal DNS server), and for ISE to resolve public FQDN, you configure your internal DNS server as a forwarder towards your DMZ internal server (this should already be done if you don't have a proxy for user Internet access, as some DNS server needs to resolve Internet resources).

         2. Deploy a read-only Domain Controller in DMZ, use it as DNS server, and point ISE towards this DNS server, which in turn is used to forward Internet FQDN resolution to your other DNS server from DMZ; this way you never expose the read-only DC to the internet, neither inbound, neither outbound; even though it's more secure by design, being read-only, you still don't expose it to the Internet.

 

Regards,
Cristian Matei.

View solution in original post

4 Replies 4

NiTech
Level 1
Level 1

I think it's possible.

ISE will support multi domain .

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

   Your best and only call would be to have 2 or more DNS servers, which actually are DNS servers members of your Active Directory, and those DNS servers need to be able to resolve everything, either directly (for AD resources), either by forwarding the request to another DNS server which resolves public resources. 

   Is there a specific reason for you wanting to "separate" the DNS queries, like AD based DNS queries, and other DNS based queries? 

 

Regards,

Cristian Matei.

   

Our plan is to have ISE, DNAC and network services in DMZ with dedicated DNS server and our AD (with intergrated DNS) is in "office" network. These 2 DNS servers are not linked for security reasons.

 

So you mean, that only solution is to set our DMZ DNS server as DNS server in ISE and on DMZ DNS server setup some kind of conditional forwarder, that if ISE want to resolve DNS name from AD, DMZ DNS server will forward this request to our "office" DNS (AD) ?

Hi,

 

   If you want AD integration and you want it to work, all DNS servers configured in ISE need to respond for relevant AD queries, thus need to be DNS servers members of your AD scheme. This is NOT an ISE restriction, ISE just conforms with AD Restrictions Options:

         1. configure your internal DNS servers in ISE for AD integration (firewall rule to allow ISE speak DNS with internal DNS server), and for ISE to resolve public FQDN, you configure your internal DNS server as a forwarder towards your DMZ internal server (this should already be done if you don't have a proxy for user Internet access, as some DNS server needs to resolve Internet resources).

         2. Deploy a read-only Domain Controller in DMZ, use it as DNS server, and point ISE towards this DNS server, which in turn is used to forward Internet FQDN resolution to your other DNS server from DMZ; this way you never expose the read-only DC to the internet, neither inbound, neither outbound; even though it's more secure by design, being read-only, you still don't expose it to the Internet.

 

Regards,
Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: