I have each of the "outer" DNS servers setup to use themselves as a DNS server first, and the PDC DNS server as a secondary. So, if that server cannot resolve the address, it forwards it to the PDC, and if it cannot resolve it, it then switches to the "forwarding" DNS server, which is run by our ISP. This cuts down significantly on DNS lookup traffic because they all use one server within our own network before venturing out to the Internet to resolve the address. If I leave the forwarding server entries blank, then it starts using the "root hint" servers instead of our ISPs DNS server. I'd like to see some studies on which method is faster, as I've heard arguments both ways. I was trying to remember how I got all of my "outer" DNS servers to resolve back to the PDC before going out to the Internet, and it appears to be the DNS entries in the network properties on the server, so that makes sense and explains why only one DNS server actually does the forwarding. In order to duplicate what you describe, I'd have to remove the DNS entries from all my "outer" DNS servers, and add them in as authorized computers in my DNS firewall policy. But that wouldn't help me at all, in that in order to reach the Internet they still have to resolve internal names first. If they cannot resolve names to even get to the ISA server, they certainly cannot get to the Internet. -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: Thursday, March 03, 2005 16:08 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Interesting problem... http://www.ISAserver.org Mmmmm I don't have a "pdc" DNS Server, I have a DNS rule to allow all my dns servers to query the internet. None of my dns servers forward to anywhere else. I found this to be the quickest for DNS resolution and if any of my 4 dns servers are down for maintenance then there is no interruption of service at all. S