RE: DNS Issue

• From: "John Tolmachoff" <isalist@xxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 14 Feb 2003 14:24:14 -0800

I know you have your subnets set up, but do you have the edge router
configured for them along with static routes?

John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com

> -----Original Message-----
> From: Tom Mendelboim [mailto:tomerm1@xxxxxxx]
> Sent: Friday, February 14, 2003 2:11 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Issue
> 
> http://www.ISAserver.org
> 
> 
> When I put the DNS server on the Internet I can resolve everything...
Nothing if it's
> on the DMZ. I even follow exact steps in your new book just to verify
pings (p.82-
> 86) and still don't get responses... I can ping from the ISA the DNS on
the DMZ but
> I cannot ping anything from the DNS on the DMZ. Something very strange is
> happening...
> 
> Tom
> >
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> > Date: 2003/02/14 Fri PM 02:07:39 EST
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Subject: [isalist] RE: DNS Issue
> >
> > http://www.ISAserver.org
> >
> >
> > Hi Tom,
> >
> > Do the queries from the external clients make it to the DNS server on
> > the DMZ? When you put a DNS client on the segment that the external
> > interface is connected to, do you see any response?
> >
> > Is IP Routing enabled on the ISA Server?
> >
> > Thanks!
> > Tom
> >
> > Thomas W Shinder
> > www.isaserver.org/shinder
> > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA Server: http://tinyurl.com/1llp
> >
> >
> > -----Original Message-----
> > From: Tom Mendelboim [mailto:tomerm1@xxxxxxx]
> > Sent: Friday, February 14, 2003 12:39 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS Issue
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Tom and John,
> >
> > I appreciate the help on this one. I've worked with ISA's for a long
> > time and never ran into problems like this one. I tried creating the
> > rules you suggested and it is a trihome environment. At this point I
> > just want to resolve external addresses from my DNS which is on my DMZ.
> > I can't even do that... I believe it's a routing issue within ISA and I
> > opened a case with Microsoft. They are puzzeled as well since it
> > "should" work...
> >
> > I will update the group on this one.
> >
> > Thanks,
> >
> > Tom
> > >
> > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> > > Date: 2003/02/14 Fri PM 01:10:02 EST
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Subject: [isalist] RE: DNS Issue
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Hi Tom,
> > >
> > > It sounds like you want to put your public DNS server on the trihomed,
> > > public address DMZ segment.
> > >
> > > You need to create packet filters to allow:
> > >
> > > Source any
> > > Destination TCP 53
> > >
> > > Source any
> > > Destination UDP 53
> > >
> > > A dynamic packet filter will allow the DNS servers to respond to the
> > > clients
> > >
> > > The DNS server on the DMZ should be an "advertiser", so that it only
> > > answers for names that its authoritative for. It should not be able to
> > > perform recursion. I'm pretty sure I have the details of that config
> > in
> > > the second book. If not, they are in the split DNS article over at
> > > www.isaserver.org/shinder
> > >
> > > HTH,
> > > Tom
> > >
> > > Thomas W Shinder
> > > www.isaserver.org/shinder
> > > ISA Server and Beyond: http://tinyurl.com/1jq1
> > > Configuring ISA Server: http://tinyurl.com/1llp
> > >
> > >
> > > -----Original Message-----
> > > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx]
> > > Sent: Thursday, February 13, 2003 2:00 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] DNS Issue
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Hello Group!
> > >
> > > I'm working on a test ISA using three home DMZ configuration. (see
> > chart
> > > at: http://members.cox.net/tomerm1/  ) I read both ISA books and can't
> > > find proper configuration to get DNS to resolve names. My ISA dns
> > > settings point to both Internal and External DNS (on the local
> > > interface). My Internal DNS has a forwarder points to the External DNS
> > > which is configured as default installation. My internal DNS is AD
> > > integrated and I removed all root hints from AD. I cannot resolve from
> > > either Internal clients using SNAT or the External DNS server. Even
> > the
> > > ISA would not resolve. I tried several packet filters rules with no
> > > luck.
> > >
> > > Does anyone know what packet filters I need to get it working???
> > >
> > > Thank you all,
> > >
> > > Tom
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > > tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > tomerm1@xxxxxxx
> > > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> tomerm1@xxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> isalist@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')

• » DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription