RE: DNS Issue

• From: "John Tolmachoff" <isalist@xxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 14 Feb 2003 07:15:15 -0800

> Thank you for the reply. My Internal interface is pointing to the DMZ
> DNS as well as local one, I also tried only pointing to the Internal
> one

Bad. Only point to Internal.

> one. My other interfaces do not have any DNS entries. The external DNS
> has default install with no Zones (only root one) my internal DNS is AD
> integrated with no root Zone.

Part of your problem. Get rid of the root zone. Your server is not part of
IAANA and not part of the Internet root servers. This is one of the worst
things Microsoft did by allowing a root zone in their DNS servers. It causes
so many problems.

> integrated with no root Zone. I found that my internal can query names
> but not using the DMZ DNS but only using its root servers so I took them
> out in order for it to use the forwarder to the external DNS. (When I

Your DMZ DNS server is worthless until you get rid of its root zone.

> say external I mean the DNS on the DMZ) Why do I need a forwarder on my
> DMZ DNS? It should be able to query root hints shouldn't it? I can see

Theoretically, yes. But it will receive faster responses by using your ISP
DNS servers as forwarders.

John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA  92835
www.reliancesoft.com

> -----Original Message-----
> From: Tom Mendelboim [mailto:tomerm1@xxxxxxx]
> Sent: Thursday, February 13, 2003 9:42 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Issue
> 
> http://www.ISAserver.org
> 
> 
> Thank you for the reply. My Internal interface is pointing to the DMZ
> DNS as well as local one, I also tried only pointing to the Internal
> one. My other interfaces do not have any DNS entries. The external DNS
> has default install with no Zones (only root one) my internal DNS is AD
> integrated with no root Zone. I found that my internal can query names
> but not using the DMZ DNS but only using its root servers so I took them
> out in order for it to use the forwarder to the external DNS. (When I
> say external I mean the DNS on the DMZ) Why do I need a forwarder on my
> DMZ DNS? It should be able to query root hints shouldn't it? I can see
> with a sniffer that my DMZ DNS is requesting for DNS queries from the
> root hints but the packets going to the ISA DMZ interface will not pass
> to the external one. I can also see in the ISA log that these packets
> are allowed (turning the "Allow" logging on).
> 
> Thanks,
> 
> Tom
> 
> -----Original Message-----
> From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx]
> Sent: Thursday, February 13, 2003 10:18 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Issue
> 
> http://www.ISAserver.org
> 
> 
> The internal interface of ISA should have the DNS address of the
> Internal
> DNS server only.
> 
> The DMZ interface of ISA should have blank for the DNS address.
> 
> The External interface of ISA should have blank for the DNS address.
> 
> On the internal DNS, forwarding should be set to the DNS Server in the
> DMZ.
> Do not remove root hints. However, there should be no root zone.
> 
> On the DMZ DNS, it should be set to forward to your ISP DNS. What do you
> mean by default install? Is that an AD integrated zone? Is there a root
> zone?
> 
> Then create packet filters to allow any to query your DMZ DNS server.
> 
> Create packet filter to allow your DMZ DNS server to query the whole
> Internet.
> 
> John Tolmachoff MCSE, CSSA
> IT Manager, Network Engineer
> RelianceSoft, Inc.
> Fullerton, CA  92835
> www.reliancesoft.com
> 
> > -----Original Message-----
> > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx]
> > Sent: Thursday, February 13, 2003 12:00 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] DNS Issue
> >
> > http://www.ISAserver.org
> >
> >
> > Hello Group!
> >
> > I'm working on a test ISA using three home DMZ configuration. (see
> chart
> at:
> > http://members.cox.net/tomerm1/  ) I read both ISA books and can't
> find
> proper
> > configuration to get DNS to resolve names. My ISA dns settings point
> to
> both
> > Internal and External DNS (on the local interface). My Internal DNS
> has a
> forwarder
> > points to the External DNS which is configured as default
> installation. My
> internal
> > DNS is AD integrated and I removed all root hints from AD. I cannot
> resolve from
> > either Internal clients using SNAT or the External DNS server. Even
> the
> ISA would
> > not resolve. I tried several packet filters rules with no luck.
> >
> > Does anyone know what packet filters I need to get it working???
> >
> > Thank you all,
> >
> > Tom
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > isalist@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tomerm1@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> isalist@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue
• » RE: DNS Issue

1. Home
2. isalist
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---