When building an ISE, why do I need to use DNS bidirectional lookup?

CCC3 · ‎11-21-2023

hello.

When building an ISE, we asked the customer to register two ISEs to be redundancy on the DNS server.

We have been asked by our customers for the exact reason or flow for this task.

Can anyone provide me with accurate cisco documentation or explanation on this?

The conclusion is whether Cisco documentation or explanation is available as to why it is necessary to register IP and FQDN on the DNS server and enable two-way lookup when building and redundancing Cisco ISE.

Mark Elsen · ‎11-21-2023

- FYI : https://community.cisco.com/t5/network-access-control/reverse-dns-in-ise-distributed-deployment/m-p/3566420#M509651

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Arne Bier · ‎11-21-2023

To be honest, the explanation from Jason Kunst gave some ideas about what will break if you don't have PTR records in place. But it never explained why the application needs such a mechanism in the first place. I can only assume that some part of the ISE software can't deal with IP hostnames, and it requires an IPv4 address instead (perhaps how it's stored in some internal file/database)- but then later on it needs the hostname related to that IP for something (perhaps a cert check) - the only way it can get a hostname for a foreign its hard-coded IP address, is to perform a reverse lookup. At least that is the case for IPv4 ISE deployments - not sure what happens when ISE is deployed using IPv6 - probably the same story.