That's because you lost your ability to read minds. The writer knew exactly what he meant, and that's what counts :\ Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Wednesday, July 26, 2006 12:54 PM > To: ISA-MVP > Subject: Re: [ISAServer] A firewall that performs payload > inspection may block zone transfers > > These kind of KB's drive me nuts... > > <snip> > Consider the following scenario: > â A Microsoft Windows Server 2003-based primary Domain > Name System (DNS) > server hosts several primary zones. > â A Windows Server 2003-based secondary DNS server hosts the > corresponding secondary zones. > â The secondary DNS server sends out DNS start of > authority (SOA) query > records to the primary DNS server when the DNS service restarts on the > secondary DNS server. All DNS SOA query records use the same > 0x6000 DNS ID. > â An application firewall that examines the ID field in > the DNS packet > header is located on the network between the primary DNS > server and the > secondary DNS server. > In this scenario, the firewall may block zone transfers from > the primary DNS > server to the secondary DNS server. > > Note This does not affect manual zone transfers. > </snip> > > *Why*? Why "may" an application firewall block it? Why does > it not affect > manual transfers? Does it affect ISA? What if I have a specific rule > allowing DNS transfers? It seems obvious to me that anyone > reading this > would want to know the specific "whys," particularly if one > is contemplating > loading a hotfix... > > t > > > > On 7/26/06 9:09 AM, "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" > <sbradcpa@xxxxxxxxxxx> spoketh to all: > > > FYI: > > > > A firewall that performs payload inspection may block zone > transfers by > > Windows Server 2003-based DNS servers: > > http://support.microsoft.com/kb/919218/en-us > > > --- > To subscribe to the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in JOIN isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > To leave the list - send an email to list@xxxxxxxxxxxxxxx > In the subject line put in LEAVE isaserver@xxxxxxxxxxxxxxx, > youremailaddress > > Don't forget the comma! > >