Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2192
Views
10
Helpful
5
Replies

ISE sending Reverse DNS query every 10 seconds

Arne Bier
VIP
VIP

‎02-16-2021 05:00 PM

Hello

 

Does anyone know why an ISE node would be sending the same reverse DNS query every 10 seconds?

ISE-DNS.png

 

The PTR record exists and ISE gets a valid reply - the PTR record has a TTL of 20 minutes - why is ISE asking every 10 seconds?

 

In the event where ISE doesn't get a response, it will ask 6 times in rapid succession and then start the queries again, every 5 seconds. It's brutal.

 

Anyone know?  I have A records and PTR records for all the ISE nodes and AD etc. But I don't understand why ISE is doing reverse DNS for connected endpoints.

 

I have never looked into this, but it might be due to Passive Identity that I recently enabled.

I am seeing reverse DNS queries for endpoints that have been authenticated through ISE.

 

I have disabled AD Profiling. No difference.

 

The background to all this inquiry, is that a customer reported that when the Primary DNS server fails (Primary DNS as configured in ISE) then there will be a 5 second delay before ISE tries the next DNS server in the list. Customer was told this is a Redhat limitation. I wanted to see what ISE was using DNS for, and how frequently ...

0 Helpful
5 Replies 5

Damien Miller
VIP Alumni
VIP Alumni

‎02-16-2021 06:55 PM

Did you see that ISE 2.7p3 and 3.0p2 introduced DNS caching as a feature? 
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/release_notes/b_ise_27_RN.html#concept_zlx_vd5_gnb


"DNS Cache

The DNS requests for hosts can be cached, thereby reducing the load on the DNS server.

This feature can be enabled in the configuration mode using the following command:

service cache enable hosts ttl ttl

To disable this feature, use the no form of this command.

no service cache enable hosts ttl ttl

Admin can choose the Time to Live (TTL) value, in seconds, for a host in the cache while enabling the cache. There is no default setting for ttl. The valid range is from 1 to 2147483647.

 

 


Note

TTL value is honored for negative responses. The TTL value set in the DNS server is honored for positive responses. If there is no TTL defined on the DNS server, then the TTL configured from the command is honored. Cache can be invalidated by disabling the feature.

Business Outcome: Load on DNS Server is reduced."

Arne Bier
VIP
VIP
In response to Damien Miller

‎02-16-2021 07:09 PM

thanks @Damien Miller  - I hadn't spotted that - that might be the solution to their problem. Customer is on ISE 2.4 and we are planning upgrade to 2.7 p3 as we speak!

 

Still doesn't explain why ISE is sending all those reverse DNS queries. Do you see that in your own deployments/lab? My previous examples were from ISE 2.6 BTW.

0 Helpful

Ping Zhou
Level 8
Level 8
In response to Arne Bier

‎02-16-2021 07:47 PM

Tried to disable DNS Probe? DNS probe in the profiler does reverse DNS. 

0 Helpful

Arne Bier
VIP
VIP
In response to Ping Zhou

‎02-16-2021 08:11 PM

that's a good suggestion - makes sense - I had already disabled that one. At the moment I have RADIUS, HTTP, DHCP and pxGrid enabled.

 

I might restart application after hours to see if anything changes. This is ISE 2.6 p8 - maybe time to upgrade to ISE 2.7 ?

 

0 Helpful

Ping Zhou
Level 8
Level 8
In response to Arne Bier

‎02-17-2021 07:22 AM

Not sure about 2.7 or 3. I’m still using 2.6... for now.

0 Helpful
Customers Also Viewed These Support Documents