Solved: ISE DNS & Syslog

jlaw2@cisco.com · ‎05-17-2018

My customer has reported ISE making a DNS query every time it sends a syslog. Doesn't seem desirable behavior, is this normal behavior or should I request they open a TAC case?

It looks like ISE makes a DNS query for the syslog server prior to every syslog message. In our environment, it looks like that means a new DNS request every 0.1 seconds from each server. This is despite the DNS TTL for our syslog server being 900 seconds

We'd probably prefer ISE to respect the DNS TTL (or at least something resembling it).

stefan.tabell · ‎06-03-2022

I understand that you can configure ISE to keep a DNS cache using the command "service cache enable hosts ttl [ttl in seconds]". Trying this myself.

View solution in original post

kvenkata1 · ‎05-17-2018

Hi John,

Let me do some research internally & respond to you. If the customer can't wait, please request them to open a TAC case.

- Krish

kvenkata1 · ‎05-18-2018

Hi John,

I consulted the DNS RFC & it says resource record 'may be cached' (read it as optionally cached) for the TTL time interval. So even if ISE is not honoring TTL, it is not a standard violation.

Is it possible for your customer to try a couple of options - try a different DNS and/or add a static host entry to see if there is any change. If your customer wants to pursue this further, please request them to open a TAC case.

- Krish

jlaw2@cisco.com · ‎05-24-2018

So you confirm that ISE performs a DNS query prior to sending each syslog message?

stefan.tabell · ‎06-03-2022

I understand that you can configure ISE to keep a DNS cache using the command "service cache enable hosts ttl [ttl in seconds]". Trying this myself.

Marcelo Morais · ‎06-03-2022

Hi @stefan.tabell ,

yes, but if I'm not mistake, this command (ise/admin(config)# service cache enable ...) is an option on ISE 2.7P3+.

Regards