Hi Tom, It sounds like you want to put your public DNS server on the trihomed, public address DMZ segment. You need to create packet filters to allow: Source any Destination TCP 53 Source any Destination UDP 53 A dynamic packet filter will allow the DNS servers to respond to the clients The DNS server on the DMZ should be an "advertiser", so that it only answers for names that its authoritative for. It should not be able to perform recursion. I'm pretty sure I have the details of that config in the second book. If not, they are in the split DNS article over at www.isaserver.org/shinder HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx] Sent: Thursday, February 13, 2003 2:00 PM To: [ISAserver.org Discussion List] Subject: [isalist] DNS Issue http://www.ISAserver.org Hello Group! I'm working on a test ISA using three home DMZ configuration. (see chart at: http://members.cox.net/tomerm1/ ) I read both ISA books and can't find proper configuration to get DNS to resolve names. My ISA dns settings point to both Internal and External DNS (on the local interface). My Internal DNS has a forwarder points to the External DNS which is configured as default installation. My internal DNS is AD integrated and I removed all root hints from AD. I cannot resolve from either Internal clients using SNAT or the External DNS server. Even the ISA would not resolve. I tried several packet filters rules with no luck. Does anyone know what packet filters I need to get it working??? Thank you all, Tom ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')