The Portuguese version of this Article can be found at: ISE - O que precisamos saber sobre DNS Server .

For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print > Print to PDF or Copy & Paste to any other document format you like.

Introduction

DNS Server configuration on Cisco ISE is done through the ip name-server command, which must be executed on each ISE Node and ONLY via CLI, features:

• supports up to 3x DNS Servers
• in IPv4 or IPv6 format
• UDP/53, TCP/53 (Cisco ISE Ports Reference)

ise/admin# configure terminal
 Entering configuration mode terminal

ise/admin(config)# ip name-server ? 
 Description: Specify address of name server(s) to use
 Possible completions:
 <A.B.C.D>|<valid IPv6 format> Primary DNS server address
 <A.B.C.D>|<valid IPv6 format> DNS server 2 IP address
 <A.B.C.D>|<valid IPv6 format> DNS server 3 IP address

NSLookup

Before configuring a new DNS Server, it is recommended to test it with the nslookup command:

ise/admin# nslookup cisco.com name-server <New DNS Server IP Addr>
 Trying "cisco.com"
 Using domain server:
 Name: <New DNS Server IP Addr>
 Address: <New DNS Server IP Addr>#53
 Aliases:

 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53012
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 6

 ;; QUESTION SECTION:
 ;cisco.com. IN ANY

 ;; ANSWER SECTION:
 cisco.com. 384 IN NS ns2.cisco.com.
 cisco.com. 384 IN NS ns1.cisco.com.
 cisco.com. 384 IN NS ns3.cisco.com.

 ;; ADDITIONAL SECTION:
 ns2.cisco.com. 61154 IN A 64.102.255.44
 ns2.cisco.com. 6494 IN AAAA 2001:420:2041:5000::a
 ns1.cisco.com. 29124 IN A 72.163.5.201
 ns1.cisco.com. 27324 IN AAAA 2001:420:1101:6::a
 ns3.cisco.com. 61154 IN A 173.37.146.41
 ns3.cisco.com. 61154 IN AAAA 2001:420:1201:7::a

 Received 213 bytes from 10.123.48.21#53 in 1 ms

Configuration

IP Name-Server

Each change (addition or deletion) using the ip name-server command causes the ISE Service to restart:

ise/admin(config)# [no] ip name-server <New DNS IP Addr>
 DNS Server was modified. If you modified this setting for AD connectivity, you must restart ISE 
 for the change to take effect. Also note for ISE connectivity to AD, ensure all configured DNS
 servers can resolve all relevant AD DNS records. If this is not the case and current AD join
 points may not resolve under new DNS settings then it is recommended to manually perform leave and rejoin.
 Do you want to restart ISE now?
 Proceed? [yes,no] yes

 Stopping Workload Connector Service...
 Stopping Protocols Engine...
 Stopping ISE Monitoring & Troubleshooting Log Processor...
 PassiveID WMI Service is disabled
 PassiveID Syslog Service is disabled
 PassiveID API Service is disabled
 PassiveID Agent Service is disabled
 PassiveID Endpoint Service is disabled
 PassiveID SPAN Service is disabled
 Stopping ISE Application Server...
 Stopping ISE Process Monitoring Service...
 Stopping ISE Certificate Authority Service...
 Stopping ISE EST Service...
 ISE Sxp Engine Service is disabled
 Stopping TC-NAC Service ...
 VA Service is not running
 ISE VA Database is not running
 Segmentation Policy Service is disabled
 REST Auth Service is disabled
 Stopping ISE Messaging Service...
 Stopping ISE API Gateway Service...
 Stopping edda-url-fetcher-service Service...
 Stopping edda-url-push-service Service...
 Stopping ISE API Gateway Database Service...
 Stopping ISE Profiler Database...
 Stopping ISE Elasticsearch Service...
 Stopping ISE Monitoring & Troubleshooting Session Database...
 Stopping ISE AD Connector...
 Stopping ISE Database processes...
 Stopping ISE Prometheus Service...
 Stopping ISE Prometheus Exporter...
 Stopping ISE Grafana Service...
 Stopping ISE MNT LogAnalytics Elasticsearch Service...
 Stopping ISE Logstash Service...
 Stopping ISE Kibana Service...
 Stopping ISE Native IPSec Service...
 Stopping ISE Prometheus Alertmanager Service...
 Verified signature of integritycheck.sums file with Swims release key 
 Stopping ISE Database processes...
 Starting ISE Monitoring & Troubleshooting Session Database...
 Starting ISE Application Server...
 Heap size greater than 20GB : 25199260672 Bytes
 Starting ISE Process Monitoring Service...
 Starting ISE Profiler Database...
 Starting ISE Messaging Service...
 Starting ISE Native IPSec Service...
 Starting ISE API Gateway Database Service...
 Starting ISE API Gateway Service...
 Starting ISE Elasticsearch Service...
 Starting ISE MNT LogAnalytics Elasticsearch Service...
 Starting ISE Logstash Service...
 Starting ISE Kibana Service...
 Starting ISE Prometheus Exporter...
 Starting ISE Prometheus Service...
 Starting ISE Grafana Service...
 Starting ISE Certificate Authority Service...
 NSS database for CA Service is ready
 Starting ISE Monitoring & Troubleshooting Log Processor...
 ISE EST service is already running, PID: <PID Number>
 Starting ISE AD Connector...
 Starting edda-url-fetcher-service Service...
 Starting edda-url-push-service Service...
 Starting ISE Prometheus Alertmanager Service...
 Note: ISE Processes are initializing. Use 'show application status ise'
 CLI to verify all processes are in running state. 

ise/admin# show application status ise
 ISE PROCESS NAME     STATE         PROCESS ID 
 ---------------------------------------------
 ...
 Application Server   initializing
 ...

Note 1: the reset-config command (a command that can ONLY be run on the Console Port) reset the ADE-OS settings, such as Hostname, IP Addr, Mask, Def. Gateway, Domain Name, DNS Server, NTP Server and Timezone (parameters requested during Cisco ISE Setup), and can be used to reconfigure several parameters with just a single restart of the ISE Service. This command does not request the CLI Admin password, nor does it "reset" Cisco ISE Configuration or Operation Data (performed by the application reset-config command).

ise/admin# reset-config
 % WARNING: This option will allow you to reset all networking settings, hostname,
 % domain name, NTP servers and the timezone. Updating the hostname will cause
 % any certificate using the old hostname to become invalid. A new self-signed
 % certificate using the new hostname will be generated now for use with HTTPS/
 % EAP. If CA-signed certs were used on this node, please import the new ones
 % with the correct hostname. In addition, if the node is part of an AD domain,
 % please delete any AD memberships before proceeding.
 %
 % All services will be restarted upon completion.
 Are you sure you want to continue? (yes/no) [yes] ?
 Enter hostname[<Hostname>]:
 Enter IP address[<IP Addr>]:
 Enter IP netmask[<Mask>]:
 Enter IP default gateway[<Def. Gateway>]:
 Enter default DNS domain[<Domain Name>]:
 Enter primary nameserver[<DNS Server>]:
 Add secondary nameserver? Y/N [N]:
 Enter NTP server[<NTP Server>]:
 Add another NTP server? Y/N [N]:
 Enter system timezone [<Timezone>]:
 Continue with the changes? Y/N [Y]:
 Application services will get restarted. Do not use Ctrl-C from this point on...

Note 2: it is important to note that changing the Hostname invalidates any Certificate that uses the old Hostname !!!

. Cisco ISE runs on the Cisco Application Deployment Engine Operating System (ADE-OS), which is based on
 Red Hat Enterprise Linux (RHEL). For Cisco ISE 3.4, ADE-OS is based on RHEL 8.8.

IP Domain-Name

To define a default Domain Name that the Cisco ISE Server uses to complete Hostnames, use the ip domain-name  command:

ise/admin# configure terminal
 Entering configuration mode terminal

ise/admin(config)# ip domain-name ?
 Description: DNS search domain name
 Possible completions:
 <string, min: 2 chars, max: 253 chars>

Note: special attention to

CSCwi56694 ISE 3.2+ has no input validation for ip domain-name in CLI

CSCwm59777 ip domain-name validation too strict, not accepting valid Domains

CSCwm00336 Domain name is not updating in the etc/hosts when bond is configured

CSCwe54931 System 360 not showing ISE Nodes w/ different DNS domain-name(s) than Primary ISE

PAN Automatic Failover

Some Cisco ISE functionalities are affected by the PAN Automatic Failover, changes to the DNS Server are one of them, so it is necessary to remove the High Availability for Administrative Node configuration before executing the ip name-server command.

Flow

Cisco ISE sends a DNS Query to the Primary DNS

If there is no response from the Primary DNS (1 sec timeout), then Cisco ISE sends a DNS Query to the Secondary DNS.

If there is no response from the Secondary DNS (1 sec timeout), then Cisco ISE sends DNS Query to the Tertiary DNS.

If there is a response with a valid A (Address) Record, then the DNS Name Resolution will be successful.

If there is a response with an invalid A (Address) Record, then the DNS Name Resolution will fail without performing a DNS Query on Secondary or Tertiary DNS.

Note 1: Reverse DNS is required for Cisco ISE Deployments, otherwise, you may face several issues such as:

• Registering and Restarting Cisco ISE Nodes
• Performance Degradation

Note 2: CSCuj29194 Reverse DNS lookup requirement for ISE Nodes needs to be documented 

DNS Cache

Cisco ISE 2.7 P3 has brought us a new feature: DNS Cache.

DNS Request for Hosts can be Cache, reducing the load on the DNS Server:

ise/admin# configure terminal
 Entering configuration mode terminal

ise/admin(config)# service cache enable hosts ttl ?
 Possible completions:
 <1-2147483647> Enter time to live in seconds for DNS cache[180]

ise/admin(config)# service cache enable hosts ttl 3600
 Successfully restarted DNS cache with TTL config:3600

ise/admin(config)# no service cache enable hosts ttl 
Successfully disabled DNS cache

Note 1: in Cisco ISE 2.7 P3 there was no default configuration for TTL, Cisco ISE 3.3+ introduced the default TTL of 180 sec !!!

Note 2: remember that DNS is heavily used by Active Directory, enabling DNS Cache on each ISE Node is a best practice !!!

Note 3: special attention to CSCwk63923 DNS cache timeout is not honored