It's just that I'm smarter than Ricky. ;-) Seriously, Ricky's article is correct in that Web proxy and FW clients depend on the ISA server for name resolution. As to "where" ISA chooses the name resolution source, it has two places: 1. the default 6-hour cache for Web Proxy and FW services 2. the complex Win2K name resolution process I have articles that address the various ISA clients and their behavior, too. Feel free to dig into them as well; could be you'll find out where I or Ricky (or worse yet; neither of us) went awry. I'd have to read Ricky's article again and get together with Ricky about how we performed our testing, etc., etc. before I make any comments on why our results seem to differ. You do raise a good point; how do we derive two seemingly different answers from what sounds like the same questions? Actually, your description sounds like more like you were experiencing the effect of what happens when a DNS server fails to respond. Windows will "blacklist" the entire DNS list on that interface for a time (45 secs sounds 'bout right) when that happens. That's not the same as getting a "name not found" response, though. The Win2K Resource Kit may have this answer, but I'll have to dig into so I don't taste toe. HTH, Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: "Cantrell, Rick" <Rick.Cantrell@xxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, November 22, 2002 9:51 AM Subject: [isalist] DNS CONFIG ON EXTERNAL NIC http://www.ISAserver.org > I recently worked a problem where removing the DNS settings from the external NIC resolved the problem. The symptom was that the ISA server would pass DNS requests for 45 seconds, then would stall for 45 seconds, then resume again. This delay could be see using network monitor. The customer had both NICs configured for DNS. The internal NIC pointing to an internal DNS server and the external NIC pointing to an external DNS server. I found two articles regarding DNS configurations for the external nic on the isaserver.org website. > This info was published by Jim Harrison: What many folks will do is place DNS resolver IPs in both NICs, ISP in the external, local in the internal. While this seems to make sense, it> '> s actually very inefficient and you can actually cause huge timeouts this way. > The other article is published by Ricky Magelhaes and states: Firewall clients send all of their DNS queries to the ISA server, the ISA server then acts as a DNS proxy forwarding the request to the DNS server that has been configured on the external interface of the ISA server. > Typically ISA server Secure NAT clients do not use ISA server for DNS queries, the queries are sent directly to a DNS server. If the DNS query is for a computer on the internal network then the query is sent to the internal DNS server. This server should be configured for both external and Internal DNS queries. If the only queries that will be requested will be Internet queries it is recommended that the queries be sent to an external Internet DNS server only. I don't understand the above at all. How is this done actually? > Web Proxy clients send all of their DNS queries to the ISA server the ISA server then acts as the DNS proxy, forwarding the request to the DNS server that has been configured on the external interface of the ISA server. > Between these two article, it seems that Jim's configuration is correct. Can anyone explain these article comments and how ISA gets confused when both NICs are configured to use DNS? > > Thanks, > Rick > > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')