[isalist] Re: Strange Behaviour in ISA2006

  • From: Jerry Young <jerrygyoungii@xxxxxxxxx>
  • To: isalist@xxxxxxxxxxxxx
  • Date: Wed, 11 Feb 2009 10:39:49 -0500

Did you do this from in front or behind the ISA Server?

The query refused response indicates the DNS server chose not to respond to
your query; that's got nothing to do with ISA, I don't think.

The most common cause of a query refusal that I've run across is when a
secondary DNS server can't pull updates from the primary DNS server (for
some reason the zone transfer failed) and so shuts down the zone.

Try using the DNS server 4.2.2.2 (Verizon) the next time to see if that box
also exhibits the same query refused response.

On Tue, Feb 10, 2009 at 9:17 AM, Ball, Dan <DBall@xxxxxxxxxxx> wrote:

>  Okay, was able to run some tests today during a DNS outage.
>
>
>
> Telnet to DNS server, connected okay.
>
>
>
> Using NSLOOKUP interactively gave the response of "Query refused" on each
> of the forwarders.
>
>
>
> Any further testing was cut short because I logged into the ISA server via
> RDP and, like usual, the situation cleared immediately.
>
>
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Ball, Dan
> *Sent:* Friday, January 30, 2009 2:01 PM
> *To:* 'isalist@xxxxxxxxxxxxx'
> *Subject:* [isalist] Re: Strange Behaviour in ISA2006
>
>
>
> Yes, the computer I put on the "outside" is on the same sub-net as the ISA
> server is.
>
>
>
> Thanks, your input has given me a much shorter list of things to test the
> next time this occurs.
>
>
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Jerry Young
> *Sent:* Thursday, January 29, 2009 3:19 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Strange Behaviour in ISA2006
>
>
>
> If telnet isn't working but yet you're seeing it pass through the ISA
> server, it seems more likely that some kind of assymetric route is in play -
> this can occassionally occur with bad BGP routes between peers.
>
>
>
> When you put a client on the outside of the ISA server, is it in the same
> external network that the ISA server is?
>
> On Thu, Jan 29, 2009 at 3:05 PM, Ball, Dan <DBall@xxxxxxxxxxx> wrote:
>
> I did try to telnet, and that didn't work, and I did try nslookup with
> manually configuring multiple servers, they all timed out.  I don't think I
> tried manually setting a DNS server that wasn't one of our normal ones
> though,  so I'll have to try that next time.
>
>
>
> As for routing, the DNS traffic makes it to the ISA server and goes out to
> the Internet, I can see it in the logs, it just doesn't seem to come back.
>
>
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Jerry Young
> *Sent:* Thursday, January 29, 2009 2:02 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Strange Behaviour in ISA2006
>
>
>
> Dan,
>
>
>
> From the clients on the inside of the ISA Server try the following command.
>
>
>
> telnet <dns server ip address> 53
>
>
>
> Does that work?
>
>
>
> If it does, try the following:
>
>
>
> nslookup www.yahoo.com <dns server ip address>
>
>
>
> Does that work?
>
>
>
> If not, try using nslookup interactively and see what kind of error message
> you get when you attempt to set the server to the DNS server IP address.
>
>
>
> Since this is happening intermittently, it may actually be a network
> routing issue as opposed to an ISA server issue.  I don't know what kind of
> topology you have in place on the inside of your ISA server but do take a
> look at that.
>
> On Thu, Jan 29, 2009 at 1:53 PM, Ball, Dan <DBall@xxxxxxxxxxx> wrote:
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> It seems to happen no matter what DNS servers I put in as forwarders, and
> we cannot function without them (need to get DNS resolution somehow!).
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Crockett, Gregory
> Sent: Tuesday, January 27, 2009 2:30 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Strange Behaviour in ISA2006
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> What happens should you kill your isp dns servers as forwarders?  I have
> never used our isps dns servers as forwarders.
>
> Sent from mobile outlook.
>
> -----Original Message-----
> From: Ball, Dan <DBall@xxxxxxxxxxx>
> Sent: Tuesday, January 27, 2009 1:12 PM
> To: 'isalist@xxxxxxxxxxxxx' <isalist@xxxxxxxxxxxxx>
> Subject: [isalist] Re: Strange Behaviour in ISA2006
>
> Been too busy to play with this much lately, basically I've been just
> waiting it out whenever it has happened, it eventually clears itself.  Just
> now it happened again though, and I happened to be logged into the ISA
> server at the time, so I did some packet captures in case someone asked for
> them.
>
> Otherwise, I have tested the DNS servers out pretty good, and the problem
> appears to be in the ISA server.  The internal servers cannot contact the
> forwarders, so they dish out responses until the cache times out and then
> start sending out host-not-found messages instead.  While this is going on,
> I can take a computer on the other side of our ISA server and connect to the
> DNS servers on the forwarders list, so I know they are alive and kicking,
> the DNS queries just are not passing through the ISA server.  As long as the
> computers know the IP address, they can continue to communicate through the
> ISA server, they just cannot look up any new addresses.
>
> I see a bunch of alerts saying "ISA Server detected an all port scan
> attack..." from the forwarders IPs addresses immediately prior to and during
> the problem.  I remember from awhile back that this was a common message
> from DNS server, would the ISA server block those IPs for a time in response
> to those scan attacks?
>
>
> From: Ball, Dan
> Sent: Thursday, November 06, 2008 12:52 PM
> To: 'isalist@xxxxxxxxxxxxx'
> Subject: RE: [isalist] Re: Strange Behaviour in ISA2006
>
> Yes, there are two DNS servers on the internal network that the ISA server
> is a part of.  All workstations (including the ISA server)  are pointing to
> these two DNS servers, no external DNS serves are configured except as
> forwarders on those two DNS servers.  If any DNS request is made that is not
> part of the local network, they use forwarders to resolve the address from
> our ISPs DNS servers.
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jerry Young
> Sent: Thursday, November 06, 2008 12:36 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Strange Behaviour in ISA2006
>
> Or, you wouldn't happen to have entered DNS servers on both the internal
> and external interface connections in Windows on the ISA Server would you?
>
> Also, how do clients in your environment resolve internet-based DNS
> records?  Are DNS forwarders set up on your internal DNS servers or are you
> using some other method for resolving internet-based DNS records?
>
> Are the internal DNS servers part of the same internal network that your
> ISA Server sits on or do those internal queries pass through a router?
>
> You can troubleshoot this by directing nslookup to use specific DNS servers
> for each record test case.
>
> For example, if you wanted to query your internal DNS server for an
> external DNS record you could use:
>
> nslookup www.yahoo.com<http://www.yahoo.com/> <Internal DNS Server>,
>
> Where <Internal DNS Server> is the IP address of your internal DNS server.
>
> To test against an external DNS server, you could use:
>
> nslookup www.yahoo.com<http://www.yahoo.com/> <External DNS Server>,
>
> Where <External DNS Server> is the IP address of an external DNS server
> your environment uses (usually one provided by your carrier/ISP).
> On Thu, Nov 6, 2008 at 12:22 PM, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:
> Jim@xxxxxxxxxxxx>> wrote:
> http://www.ISAserver.org <http://www.isaserver.org/><
> http://www.isaserver.org/>
> -------------------------------------------------------
>
> The combination of forward access and server login sluggishness point
> squarely at DNS.
> Are you using the same DNS server to handle AD and external DNS queries?
>
> Jim
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>]
> On Behalf Of Ball, Dan
> Sent: Thursday, November 06, 2008 8:30 AM
> To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>'
> Subject: [isalist] Strange Behaviour in ISA2006
>
> http://www.ISAserver.org <http://www.isaserver.org/><
> http://www.isaserver.org/>
> -------------------------------------------------------
>
> I've noticed an interesting behavior of my ISA2006 box, and was wondering
> if anyone would have an idea of what might be causing it...
>
> Periodically, browsing to websites (from our Intranet) becomes sluggish and
> we experience a lot of time-outs, sometimes it clears itself, but sometimes
> it gets worse.  Tracing this back, it appears to be a DNS-related issue, the
> names cannot be resolved correctly.  I've restarted the internal DNS servers
> when this happens, with little, if any improvement in performance.  So I log
> into the ISA server via Remote Desktop to see what is happening, the login
> takes significantly longer than usual, then right about the time I get
> logged in, everything works perfect again, so I cannot trace it.
>
> I thought it was a coincidence the first few times, but it has happened a
> couple of dozen times now and it is a definite pattern.  Once I log into the
> ISA server via Remote Desktop, it starts working again.  Any ideas?
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
>
> All mail to and from this domain is scrutinized by GFI.
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
>



-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

Other related posts: