Hi Tom, The internal interface should be pointing to an internal DNS server that can resolve internet host names. Why would it point to a DMZ DNS server? Is this a back to back DMZ? If so, you generally don't want it to do any name resolution, you want it to forward what the downstream sent it, and if does need some simple name resoution for DMZ hosts, use a HOSTS file. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] Sent: Thursday, February 13, 2003 11:42 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Issue http://www.ISAserver.org Thank you for the reply. My Internal interface is pointing to the DMZ DNS as well as local one, I also tried only pointing to the Internal one. My other interfaces do not have any DNS entries. The external DNS has default install with no Zones (only root one) my internal DNS is AD integrated with no root Zone. I found that my internal can query names but not using the DMZ DNS but only using its root servers so I took them out in order for it to use the forwarder to the external DNS. (When I say external I mean the DNS on the DMZ) Why do I need a forwarder on my DMZ DNS? It should be able to query root hints shouldn't it? I can see with a sniffer that my DMZ DNS is requesting for DNS queries from the root hints but the packets going to the ISA DMZ interface will not pass to the external one. I can also see in the ISA log that these packets are allowed (turning the "Allow" logging on). Thanks, Tom -----Original Message----- From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx] Sent: Thursday, February 13, 2003 10:18 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Issue http://www.ISAserver.org The internal interface of ISA should have the DNS address of the Internal DNS server only. The DMZ interface of ISA should have blank for the DNS address. The External interface of ISA should have blank for the DNS address. On the internal DNS, forwarding should be set to the DNS Server in the DMZ. Do not remove root hints. However, there should be no root zone. On the DMZ DNS, it should be set to forward to your ISP DNS. What do you mean by default install? Is that an AD integrated zone? Is there a root zone? Then create packet filters to allow any to query your DMZ DNS server. Create packet filter to allow your DMZ DNS server to query the whole Internet. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com > -----Original Message----- > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx] > Sent: Thursday, February 13, 2003 12:00 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] DNS Issue > > http://www.ISAserver.org > > > Hello Group! > > I'm working on a test ISA using three home DMZ configuration. (see chart at: > http://members.cox.net/tomerm1/ ) I read both ISA books and can't find proper > configuration to get DNS to resolve names. My ISA dns settings point to both > Internal and External DNS (on the local interface). My Internal DNS has a forwarder > points to the External DNS which is configured as default installation. My internal > DNS is AD integrated and I removed all root hints from AD. I cannot resolve from > either Internal clients using SNAT or the External DNS server. Even the ISA would > not resolve. I tried several packet filters rules with no luck. > > Does anyone know what packet filters I need to get it working??? > > Thank you all, > > Tom > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > isalist@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tomerm1@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')