Been too busy to play with this much lately, basically I've been just waiting it out whenever it has happened, it eventually clears itself. Just now it happened again though, and I happened to be logged into the ISA server at the time, so I did some packet captures in case someone asked for them. Otherwise, I have tested the DNS servers out pretty good, and the problem appears to be in the ISA server. The internal servers cannot contact the forwarders, so they dish out responses until the cache times out and then start sending out host-not-found messages instead. While this is going on, I can take a computer on the other side of our ISA server and connect to the DNS servers on the forwarders list, so I know they are alive and kicking, the DNS queries just are not passing through the ISA server. As long as the computers know the IP address, they can continue to communicate through the ISA server, they just cannot look up any new addresses. I see a bunch of alerts saying "ISA Server detected an all port scan attack..." from the forwarders IPs addresses immediately prior to and during the problem. I remember from awhile back that this was a common message from DNS server, would the ISA server block those IPs for a time in response to those scan attacks? From: Ball, Dan Sent: Thursday, November 06, 2008 12:52 PM To: 'isalist@xxxxxxxxxxxxx' Subject: RE: [isalist] Re: Strange Behaviour in ISA2006 Yes, there are two DNS servers on the internal network that the ISA server is a part of. All workstations (including the ISA server) are pointing to these two DNS servers, no external DNS serves are configured except as forwarders on those two DNS servers. If any DNS request is made that is not part of the local network, they use forwarders to resolve the address from our ISPs DNS servers. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Thursday, November 06, 2008 12:36 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Strange Behaviour in ISA2006 Or, you wouldn't happen to have entered DNS servers on both the internal and external interface connections in Windows on the ISA Server would you? Also, how do clients in your environment resolve internet-based DNS records? Are DNS forwarders set up on your internal DNS servers or are you using some other method for resolving internet-based DNS records? Are the internal DNS servers part of the same internal network that your ISA Server sits on or do those internal queries pass through a router? You can troubleshoot this by directing nslookup to use specific DNS servers for each record test case. For example, if you wanted to query your internal DNS server for an external DNS record you could use: nslookup www.yahoo.com<http://www.yahoo.com/> <Internal DNS Server>, Where <Internal DNS Server> is the IP address of your internal DNS server. To test against an external DNS server, you could use: nslookup www.yahoo.com<http://www.yahoo.com/> <External DNS Server>, Where <External DNS Server> is the IP address of an external DNS server your environment uses (usually one provided by your carrier/ISP). On Thu, Nov 6, 2008 at 12:22 PM, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote: http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- The combination of forward access and server login sluggishness point squarely at DNS. Are you using the same DNS server to handle AD and external DNS queries? Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On Behalf Of Ball, Dan Sent: Thursday, November 06, 2008 8:30 AM To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>' Subject: [isalist] Strange Behaviour in ISA2006 http://www.ISAserver.org<http://www.isaserver.org/> ------------------------------------------------------- I've noticed an interesting behavior of my ISA2006 box, and was wondering if anyone would have an idea of what might be causing it... Periodically, browsing to websites (from our Intranet) becomes sluggish and we experience a lot of time-outs, sometimes it clears itself, but sometimes it gets worse. Tracing this back, it appears to be a DNS-related issue, the names cannot be resolved correctly. I've restarted the internal DNS servers when this happens, with little, if any improvement in performance. So I log into the ISA server via Remote Desktop to see what is happening, the login takes significantly longer than usual, then right about the time I get logged in, everything works perfect again, so I cannot trace it. I thought it was a coincidence the first few times, but it has happened a couple of dozen times now and it is a definite pattern. Once I log into the ISA server via Remote Desktop, it starts working again. Any ideas? ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com<http://www.techgenix.com/> ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer