02-16-2021 05:00 PM
Hello
Does anyone know why an ISE node would be sending the same reverse DNS query every 10 seconds?
The PTR record exists and ISE gets a valid reply - the PTR record has a TTL of 20 minutes - why is ISE asking every 10 seconds?
In the event where ISE doesn't get a response, it will ask 6 times in rapid succession and then start the queries again, every 5 seconds. It's brutal.
Anyone know? I have A records and PTR records for all the ISE nodes and AD etc. But I don't understand why ISE is doing reverse DNS for connected endpoints.
I have never looked into this, but it might be due to Passive Identity that I recently enabled.
I am seeing reverse DNS queries for endpoints that have been authenticated through ISE.
I have disabled AD Profiling. No difference.
The background to all this inquiry, is that a customer reported that when the Primary DNS server fails (Primary DNS as configured in ISE) then there will be a 5 second delay before ISE tries the next DNS server in the list. Customer was told this is a Redhat limitation. I wanted to see what ISE was using DNS for, and how frequently ...
02-16-2021 06:55 PM
Did you see that ISE 2.7p3 and 3.0p2 introduced DNS caching as a feature?
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/release_notes/b_ise_27_RN.html#concept_zlx_vd5_gnb
"DNS Cache
The DNS requests for hosts can be cached, thereby reducing the load on the DNS server.
This feature can be enabled in the configuration mode using the following command:
service cache enable hosts ttl ttl
To disable this feature, use the no form of this command.
no service cache enable hosts ttl ttl
Admin can choose the Time to Live (TTL) value, in seconds, for a host in the cache while enabling the cache. There is no default setting for ttl. The valid range is from 1 to 2147483647.
Note |
TTL value is honored for negative responses. The TTL value set in the DNS server is honored for positive responses. If there is no TTL defined on the DNS server, then the TTL configured from the command is honored. Cache can be invalidated by disabling the feature. |
Business Outcome: Load on DNS Server is reduced."
02-16-2021 07:09 PM
thanks @Damien Miller - I hadn't spotted that - that might be the solution to their problem. Customer is on ISE 2.4 and we are planning upgrade to 2.7 p3 as we speak!
Still doesn't explain why ISE is sending all those reverse DNS queries. Do you see that in your own deployments/lab? My previous examples were from ISE 2.6 BTW.
02-16-2021 07:47 PM
Tried to disable DNS Probe? DNS probe in the profiler does reverse DNS.
02-16-2021 08:11 PM
that's a good suggestion - makes sense - I had already disabled that one. At the moment I have RADIUS, HTTP, DHCP and pxGrid enabled.
I might restart application after hours to see if anything changes. This is ISE 2.6 p8 - maybe time to upgrade to ISE 2.7 ?
02-17-2021 07:22 AM
Not sure about 2.7 or 3. I’m still using 2.6... for now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide