Re: When building an ISE, why do I need to use DNS bidirectional looku

CCC3 · ‎11-21-2023

hello.

When building an ISE, we asked the customer to register two ISEs to be redundancy on the DNS server.

We have been asked by our customers for the exact reason or flow for this task.

Can anyone provide me with accurate cisco documentation or explanation on this?

The conclusion is whether Cisco documentation or explanation is available as to why it is necessary to register IP and FQDN on the DNS server and enable two-way lookup when building and redundancing Cisco ISE.

marce1000 · ‎11-21-2023

- FYI : https://community.cisco.com/t5/network-access-control/reverse-dns-in-ise-distributed-deployment/m-p/3566420#M509651

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Arne Bier · ‎11-21-2023

To be honest, the explanation from Jason Kunst gave some ideas about what will break if you don't have PTR records in place. But it never explained why the application needs such a mechanism in the first place. I can only assume that some part of the ISE software can't deal with IP hostnames, and it requires an IPv4 address instead (perhaps how it's stored in some internal file/database)- but then later on it needs the hostname related to that IP for something (perhaps a cert check) - the only way it can get a hostname for a foreign its hard-coded IP address, is to perform a reverse lookup. At least that is the case for IPv4 ISE deployments - not sure what happens when ISE is deployed using IPv6 - probably the same story.

When building an ISE, why do I need to use DNS bidirectional lookup?