RE: DNS Issue

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sat, 15 Feb 2003 01:49:33 -0600

Hi Tom,

The router does need to know about your DMZ segment. Otherwise, it would
not know how to route packets to that network ID.

That's why we needed to know about the details of your network traces!

Good to hear you got it working, thanks for the follow up!

Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp 


-----Original Message-----
From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] 
Sent: Saturday, February 15, 2003 1:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Issue


http://www.ISAserver.org


Tom and John,

I got it!!! John, you are the man!!

The problem was my router. I did not have it configured to route packets
to the correct subnet! The bizarre part of it is that the external
interface of the ISA did not show any packets trying to go out. Once I
made the router change, I could see the packets going. Does ISA supposed
to do that???

Anyway, thank you all for all the help!

Tom

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Friday, February 14, 2003 10:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Issue

http://www.ISAserver.org


Tom,

Please do not use ping to confirm connectivity. Please put a client on
the segment on the network connected to the external interface, and try
to query the DNS server on the DMZ. Run netmon on the DNS server on the
DMZ and the client on the external network. That is the ONLY way you can
accurately troubleshooting the situation.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp 


-----Original Message-----
From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] 
Sent: Friday, February 14, 2003 4:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Issue


http://www.ISAserver.org


When I put the DNS server on the Internet I can resolve everything...
Nothing if it's on the DMZ. I even follow exact steps in your new book
just to verify pings (p.82-86) and still don't get responses... I can
ping from the ISA the DNS on the DMZ but I cannot ping anything from the
DNS on the DMZ. Something very strange is happening...

Tom
> 
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> Date: 2003/02/14 Fri PM 02:07:39 EST
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Subject: [isalist] RE: DNS Issue
> 
> http://www.ISAserver.org
> 
> 
> Hi Tom,
> 
> Do the queries from the external clients make it to the DNS server on
> the DMZ? When you put a DNS client on the segment that the external
> interface is connected to, do you see any response?
> 
> Is IP Routing enabled on the ISA Server?
> 
> Thanks!
> Tom
> 
> Thomas W Shinder
> www.isaserver.org/shinder 
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp 
> 
> 
> -----Original Message-----
> From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] 
> Sent: Friday, February 14, 2003 12:39 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Issue
> 
> 
> http://www.ISAserver.org
> 
> 
> Tom and John,
> 
> I appreciate the help on this one. I've worked with ISA's for a long
> time and never ran into problems like this one. I tried creating the
> rules you suggested and it is a trihome environment. At this point I
> just want to resolve external addresses from my DNS which is on my
DMZ.
> I can't even do that... I believe it's a routing issue within ISA and
I
> opened a case with Microsoft. They are puzzeled as well since it
> "should" work...
> 
> I will update the group on this one.
> 
> Thanks,
> 
> Tom
> > 
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
> > Date: 2003/02/14 Fri PM 01:10:02 EST
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Subject: [isalist] RE: DNS Issue
> > 
> > http://www.ISAserver.org
> > 
> > 
> > Hi Tom,
> > 
> > It sounds like you want to put your public DNS server on the
trihomed,
> > public address DMZ segment.
> > 
> > You need to create packet filters to allow:
> > 
> > Source any
> > Destination TCP 53
> > 
> > Source any
> > Destination UDP 53
> > 
> > A dynamic packet filter will allow the DNS servers to respond to the
> > clients
> > 
> > The DNS server on the DMZ should be an "advertiser", so that it only
> > answers for names that its authoritative for. It should not be able
to
> > perform recursion. I'm pretty sure I have the details of that config
> in
> > the second book. If not, they are in the split DNS article over at
> > www.isaserver.org/shinder
> > 
> > HTH,
> > Tom
> > 
> > Thomas W Shinder
> > www.isaserver.org/shinder 
> > ISA Server and Beyond: http://tinyurl.com/1jq1
> > Configuring ISA Server: http://tinyurl.com/1llp 
> > 
> > 
> > -----Original Message-----
> > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx] 
> > Sent: Thursday, February 13, 2003 2:00 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] DNS Issue
> > 
> > 
> > http://www.ISAserver.org
> > 
> > 
> > Hello Group!
> > 
> > I'm working on a test ISA using three home DMZ configuration. (see
> chart
> > at: http://members.cox.net/tomerm1/  ) I read both ISA books and
can't
> > find proper configuration to get DNS to resolve names. My ISA dns
> > settings point to both Internal and External DNS (on the local
> > interface). My Internal DNS has a forwarder points to the External
DNS
> > which is configured as default installation. My internal DNS is AD
> > integrated and I removed all root hints from AD. I cannot resolve
from
> > either Internal clients using SNAT or the External DNS server. Even
> the
> > ISA would not resolve. I tried several packet filters rules with no
> > luck.
> > 
> > Does anyone know what packet filters I need to get it working???
> > 
> > Thank you all,
> > 
> > Tom
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to
> $subst('Email.Unsub')
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> tomerm1@xxxxxxx
> > To unsubscribe send a blank email to
> $subst('Email.Unsub')
> > 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
tomerm1@xxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
> 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tomerm1@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue

1. Home
2. isalist
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---