RE: DNS Issue
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 14 Feb 2003 11:53:14 -0600
Hi Tom,
The internal interface should be pointing to an internal DNS server that
can resolve internet host names. Why would it point to a DMZ DNS server?
Is this a back to back DMZ? If so, you generally don't want it to do any
name resolution, you want it to forward what the downstream sent it, and
if does need some simple name resoution for DMZ hosts, use a HOSTS file.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Tom Mendelboim [mailto:tomerm1@xxxxxxx]
Sent: Thursday, February 13, 2003 11:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Issue
http://www.ISAserver.org
Thank you for the reply. My Internal interface is pointing to the DMZ
DNS as well as local one, I also tried only pointing to the Internal
one. My other interfaces do not have any DNS entries. The external DNS
has default install with no Zones (only root one) my internal DNS is AD
integrated with no root Zone. I found that my internal can query names
but not using the DMZ DNS but only using its root servers so I took them
out in order for it to use the forwarder to the external DNS. (When I
say external I mean the DNS on the DMZ) Why do I need a forwarder on my
DMZ DNS? It should be able to query root hints shouldn't it? I can see
with a sniffer that my DMZ DNS is requesting for DNS queries from the
root hints but the packets going to the ISA DMZ interface will not pass
to the external one. I can also see in the ISA log that these packets
are allowed (turning the "Allow" logging on).
Thanks,
Tom
-----Original Message-----
From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx]
Sent: Thursday, February 13, 2003 10:18 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Issue
http://www.ISAserver.org
The internal interface of ISA should have the DNS address of the
Internal
DNS server only.
The DMZ interface of ISA should have blank for the DNS address.
The External interface of ISA should have blank for the DNS address.
On the internal DNS, forwarding should be set to the DNS Server in the
DMZ.
Do not remove root hints. However, there should be no root zone.
On the DMZ DNS, it should be set to forward to your ISP DNS. What do you
mean by default install? Is that an AD integrated zone? Is there a root
zone?
Then create packet filters to allow any to query your DMZ DNS server.
Create packet filter to allow your DMZ DNS server to query the whole
Internet.
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
www.reliancesoft.com
> -----Original Message-----
> From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx]
> Sent: Thursday, February 13, 2003 12:00 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] DNS Issue
>
> http://www.ISAserver.org
>
>
> Hello Group!
>
> I'm working on a test ISA using three home DMZ configuration. (see
chart
at:
> http://members.cox.net/tomerm1/ ) I read both ISA books and can't
find
proper
> configuration to get DNS to resolve names. My ISA dns settings point
to
both
> Internal and External DNS (on the local interface). My Internal DNS
has a
forwarder
> points to the External DNS which is configured as default
installation. My
internal
> DNS is AD integrated and I removed all root hints from AD. I cannot
resolve from
> either Internal clients using SNAT or the External DNS server. Even
the
ISA would
> not resolve. I tried several packet filters rules with no luck.
>
> Does anyone know what packet filters I need to get it working???
>
> Thank you all,
>
> Tom
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> isalist@xxxxxxxxxxxx
> To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tomerm1@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
