Hi Steve I understand that they should be in the DMZ...but for the next few months and a tight budget this cannot be done. I know this question is stupid but I will ask anyway.....What risk is there in having the DNS NOT in the DMZ....am I at risk via port 53?? William ________________________________ From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: 25 October 2004 14:30 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server http://www.ISAserver.org they should really be in a dmz S ________________________________ From: Administrator [mailto:Administrator@xxxxxxxxxxxxx] Sent: Monday, October 25, 2004 2:44 AM To: ISA Mailing List Subject: [isalist] RE: DNS server http://www.ISAserver.org Hi Gr8...so If I got this correctly TCP In local port 53 ...remote any TCP Out local any....remote 53 UDP Receive send local 53 remote any UDP Send Receive local any remote 53.............is this correct? William PS thanks for the help but I am fairly new to public dns servers behind a firewall ________________________________ From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: 24 October 2004 23:44 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server http://www.ISAserver.org you'll need incoming / outgoing dns query packet filters, on each ISA Server as well as publishing them. S