IIRC ISA checks external nic DNS, then internal nic DNS, until it can resolve the request. By not setting any dns servers in the external nic properties you are forcing ISA to default to 'localhost'. Unless you are running a DNS server on your ISA server (usually a bad idea) it will redirect any 'localhost' resolution to the first DNS server it can easily locate (those specified on your internal nic properties for instance). Your internal DNS server is then usually set to use an external forwarder, which is usually your ISP's DNS server(s), to resolve any requests that involve machines outside of your local domain. Jim is talking practical set up information, while Ricky is talking technical operation of device. Both are indeed correct. Paul Nuernberger -----Original Message----- From: Cantrell, Rick [mailto:Rick.Cantrell@xxxxxx] Sent: Friday, November 22, 2002 11:31 AM To: [ISAserver.org Discussion List] Subject: [isalist] Correct DNS configuration for external NIC http://www.ISAserver.org I recently worked a problem where removing the DNS settings from the external NIC resolved the problem. The symptom was that the ISA server would pass DNS requests for 45 seconds, then would stall for 45 seconds, then resume again. This delay could be see using network monitor. The customer had both NICs configured for DNS. The internal NIC pointing to an internal DNS server and the external NIC pointing to an external DNS server. I found two articles regarding DNS configurations for the external nic on the isaserver.org website. This info was published by Jim Harrison: What many folks will do is place DNS resolver IPs in both NICs, ISP in the external, local in the internal. While this seems to make sense, it's actually very inefficient and you can actually cause huge timeouts this way. The other article is published by Ricky Magelhaes and states: Firewall clients send all of their DNS queries to the ISA server, the ISA server then acts as a DNS proxy forwarding the request to the DNS server that has been configured on the external interface of the ISA server. Typically ISA server Secure NAT clients do not use ISA server for DNS queries, the queries are sent directly to a DNS server. If the DNS query is for a computer on the internal network then the query is sent to the internal DNS server. This server should be configured for both external and Internal DNS queries. If the only queries that will be requested will be Internet queries it is recommended that the queries be sent to an external Internet DNS server only. I don't understand the above at all. How is this done actually? Web Proxy clients send all of their DNS queries to the ISA server the ISA server then acts as the DNS proxy, forwarding the request to the DNS server that has been configured on the external interface of the ISA server. Between these two article, it seems that Jim's configuration is correct. Can anyone explain these article comments and how ISA gets confused when both NICs are configured to use DNS? Thanks, Rick ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pen@xxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')