Re: DNS CONFIG ON EXTERNAL NIC
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 22 Nov 2002 13:50:59 -0800
It's just that I'm smarter than Ricky. ;-)
Seriously, Ricky's article is correct in that Web proxy and FW clients
depend on the ISA server for name resolution. As to "where" ISA chooses the
name resolution source, it has two places:
1. the default 6-hour cache for Web Proxy and FW services
2. the complex Win2K name resolution process
I have articles that address the various ISA clients and their behavior,
too. Feel free to dig into them as well; could be you'll find out where I
or Ricky (or worse yet; neither of us) went awry.
I'd have to read Ricky's article again and get together with Ricky about how
we performed our testing, etc., etc. before I make any comments on why our
results seem to differ.
You do raise a good point; how do we derive two seemingly different answers
from what sounds like the same questions?
Actually, your description sounds like more like you were experiencing the
effect of what happens when a DNS server fails to respond. Windows will
"blacklist" the entire DNS list on that interface for a time (45 secs sounds
'bout right) when that happens. That's not the same as getting a "name not
found" response, though.
The Win2K Resource Kit may have this answer, but I'll have to dig into so I
don't taste toe.
HTH,
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the help / books / articles!
----- Original Message -----
From: "Cantrell, Rick" <Rick.Cantrell@xxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, November 22, 2002 9:51 AM
Subject: [isalist] DNS CONFIG ON EXTERNAL NIC
http://www.ISAserver.org
> I recently worked a problem where removing the DNS settings from the
external NIC resolved the problem. The symptom was that the ISA server
would pass DNS requests for 45 seconds, then would stall for 45 seconds,
then resume again. This delay could be see using network monitor. The
customer had both NICs configured for DNS. The internal NIC pointing to an
internal DNS server and the external NIC pointing to an external DNS server.
I found two articles regarding DNS configurations for the external nic on
the isaserver.org website.
> This info was published by Jim Harrison: What many folks will do is place
DNS resolver IPs in both NICs, ISP in the external, local in the internal.
While this seems to make sense, it> '> s actually very inefficient and you
can actually cause huge timeouts this way.
> The other article is published by Ricky Magelhaes and states: Firewall
clients send all of their DNS queries to the ISA server, the ISA server then
acts as a DNS proxy forwarding the request to the DNS server that has been
configured on the external interface of the ISA server.
> Typically ISA server Secure NAT clients do not use ISA server for DNS
queries, the queries are sent directly to a DNS server. If the DNS query is
for a computer on the internal network then the query is sent to the
internal DNS server. This server should be configured for both external and
Internal DNS queries. If the only queries that will be requested will be
Internet queries it is recommended that the queries be sent to an external
Internet DNS server only. I don't understand the above at all. How is this
done actually?
> Web Proxy clients send all of their DNS queries to the ISA server the ISA
server then acts as the DNS proxy, forwarding the request to the DNS server
that has been configured on the external interface of the ISA server.
> Between these two article, it seems that Jim's configuration is correct.
Can anyone explain these article comments and how ISA gets confused when
both NICs are configured to use DNS?
>
> Thanks,
> Rick
>
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
