RE: DNS Issue

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 14 Feb 2003 11:42:02 -0600

Hi Tom,

Do you have a trihomed or back to back DMZ?

Public or private?

Thanks!

Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp 


-----Original Message-----
From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] 
Sent: Friday, February 14, 2003 10:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Issue


http://www.ISAserver.org


Thank you for the support John. However, I misled you regarding my DNS
on the DMZ. My DNS on the DMZ has a zone for my domain and no root zone.
I meant to say that the root hints (under server properties) are still
there. The odd thing is when I sniff the network, I can see My DMZ DNS
is trying to query the root hints and I can also see that the DMZ
interface on the ISA receives these requests but does nothing with them
as if there is a routing issue. I think I'm calling Microsoft on this
one...

Tom
> 
> From: "John Tolmachoff" <isalist@xxxxxxxxxxxx>
> Date: 2003/02/14 Fri AM 10:15:15 EST
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Subject: [isalist] RE: DNS Issue
> 
> http://www.ISAserver.org
> 
> 
> > Thank you for the reply. My Internal interface is pointing to the
DMZ
> > DNS as well as local one, I also tried only pointing to the Internal
> > one
> 
> Bad. Only point to Internal.
> 
> > one. My other interfaces do not have any DNS entries. The external
DNS
> > has default install with no Zones (only root one) my internal DNS is
AD
> > integrated with no root Zone.
> 
> Part of your problem. Get rid of the root zone. Your server is not
part of
> IAANA and not part of the Internet root servers. This is one of the
worst
> things Microsoft did by allowing a root zone in their DNS servers. It
causes
> so many problems.
> 
> > integrated with no root Zone. I found that my internal can query
names
> > but not using the DMZ DNS but only using its root servers so I took
them
> > out in order for it to use the forwarder to the external DNS. (When
I
> 
> Your DMZ DNS server is worthless until you get rid of its root zone.
> 
> > say external I mean the DNS on the DMZ) Why do I need a forwarder on
my
> > DMZ DNS? It should be able to query root hints shouldn't it? I can
see
> 
> Theoretically, yes. But it will receive faster responses by using your
ISP
> DNS servers as forwarders.
> 
> John Tolmachoff MCSE, CSSA
> IT Manager, Network Engineer
> RelianceSoft, Inc.
> Fullerton, CA  92835
> www.reliancesoft.com
> 
> > -----Original Message-----
> > From: Tom Mendelboim [mailto:tomerm1@xxxxxxx]
> > Sent: Thursday, February 13, 2003 9:42 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS Issue
> > 
> > http://www.ISAserver.org
> > 
> > 
> > Thank you for the reply. My Internal interface is pointing to the
DMZ
> > DNS as well as local one, I also tried only pointing to the Internal
> > one. My other interfaces do not have any DNS entries. The external
DNS
> > has default install with no Zones (only root one) my internal DNS is
AD
> > integrated with no root Zone. I found that my internal can query
names
> > but not using the DMZ DNS but only using its root servers so I took
them
> > out in order for it to use the forwarder to the external DNS. (When
I
> > say external I mean the DNS on the DMZ) Why do I need a forwarder on
my
> > DMZ DNS? It should be able to query root hints shouldn't it? I can
see
> > with a sniffer that my DMZ DNS is requesting for DNS queries from
the
> > root hints but the packets going to the ISA DMZ interface will not
pass
> > to the external one. I can also see in the ISA log that these
packets
> > are allowed (turning the "Allow" logging on).
> > 
> > Thanks,
> > 
> > Tom
> > 
> > -----Original Message-----
> > From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx]
> > Sent: Thursday, February 13, 2003 10:18 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS Issue
> > 
> > http://www.ISAserver.org
> > 
> > 
> > The internal interface of ISA should have the DNS address of the
> > Internal
> > DNS server only.
> > 
> > The DMZ interface of ISA should have blank for the DNS address.
> > 
> > The External interface of ISA should have blank for the DNS address.
> > 
> > On the internal DNS, forwarding should be set to the DNS Server in
the
> > DMZ.
> > Do not remove root hints. However, there should be no root zone.
> > 
> > On the DMZ DNS, it should be set to forward to your ISP DNS. What do
you
> > mean by default install? Is that an AD integrated zone? Is there a
root
> > zone?
> > 
> > Then create packet filters to allow any to query your DMZ DNS
server.
> > 
> > Create packet filter to allow your DMZ DNS server to query the whole
> > Internet.
> > 
> > John Tolmachoff MCSE, CSSA
> > IT Manager, Network Engineer
> > RelianceSoft, Inc.
> > Fullerton, CA  92835
> > www.reliancesoft.com
> > 
> > > -----Original Message-----
> > > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx]
> > > Sent: Thursday, February 13, 2003 12:00 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] DNS Issue
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Hello Group!
> > >
> > > I'm working on a test ISA using three home DMZ configuration. (see
> > chart
> > at:
> > > http://members.cox.net/tomerm1/  ) I read both ISA books and can't
> > find
> > proper
> > > configuration to get DNS to resolve names. My ISA dns settings
point
> > to
> > both
> > > Internal and External DNS (on the local interface). My Internal
DNS
> > has a
> > forwarder
> > > points to the External DNS which is configured as default
> > installation. My
> > internal
> > > DNS is AD integrated and I removed all root hints from AD. I
cannot
> > resolve from
> > > either Internal clients using SNAT or the External DNS server.
Even
> > the
> > ISA would
> > > not resolve. I tried several packet filters rules with no luck.
> > >
> > > Does anyone know what packet filters I need to get it working???
> > >
> > > Thank you all,
> > >
> > > Tom
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
as:
> > > isalist@xxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > tomerm1@xxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List
as:
> > isalist@xxxxxxxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
tomerm1@xxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
> 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 02-2003