RE: Correct DNS configuration for external NIC
- From: "Paul Nuernberger" <pen@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 22 Nov 2002 12:12:27 -0600
IIRC ISA checks external nic DNS, then internal nic DNS, until it can
resolve the request.
By not setting any dns servers in the external nic properties you are
forcing ISA to default to 'localhost'. Unless you are running a DNS server
on your ISA server (usually a bad idea) it will redirect any 'localhost'
resolution to the first DNS server it can easily locate (those specified on
your internal nic properties for instance).
Your internal DNS server is then usually set to use an external forwarder,
which is usually your ISP's DNS server(s), to resolve any requests that
involve machines outside of your local domain.
Jim is talking practical set up information, while Ricky is talking
technical operation of device. Both are indeed correct.
Paul Nuernberger
-----Original Message-----
From: Cantrell, Rick [mailto:Rick.Cantrell@xxxxxx]
Sent: Friday, November 22, 2002 11:31 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Correct DNS configuration for external NIC
http://www.ISAserver.org
I recently worked a problem where removing the DNS settings from the
external NIC resolved the problem. The symptom was that the ISA server
would pass DNS requests for 45 seconds, then would stall for 45 seconds,
then resume again. This delay could be see using network monitor. The
customer had both NICs configured for DNS. The internal NIC pointing to an
internal DNS server and the external NIC pointing to an external DNS server.
I found two articles regarding DNS configurations for the external nic on
the isaserver.org website.
This info was published by Jim Harrison: What many folks will do is place
DNS resolver IPs in both NICs, ISP in the external, local in the internal.
While this seems to make sense, it's actually very inefficient and you can
actually cause huge timeouts this way.
The other article is published by Ricky Magelhaes and states: Firewall
clients send all of their DNS queries to the ISA server, the ISA server then
acts as a DNS proxy forwarding the request to the DNS server that has been
configured on the external interface of the ISA server.
Typically ISA server Secure NAT clients do not use ISA server for DNS
queries, the queries are sent directly to a DNS server. If the DNS query is
for a computer on the internal network then the query is sent to the
internal DNS server. This server should be configured for both external and
Internal DNS queries. If the only queries that will be requested will be
Internet queries it is recommended that the queries be sent to an external
Internet DNS server only. I don't understand the above at all. How is this
done actually?
Web Proxy clients send all of their DNS queries to the ISA server the ISA
server then acts as the DNS proxy, forwarding the request to the DNS server
that has been configured on the external interface of the ISA server.
Between these two article, it seems that Jim's configuration is correct.
Can anyone explain these article comments and how ISA gets confused when
both NICs are configured to use DNS?
Thanks,
Rick
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pen@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
