RE: DNS Issue

  • From: Tom Mendelboim <tomerm1@xxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 14 Feb 2003 11:05:30 -0500

Thank you for the support John. However, I misled you regarding my DNS on the 
DMZ. My DNS on the DMZ has a zone for my domain and no root zone. I meant to 
say that the root hints (under server properties) are still there. The odd 
thing is when I sniff the network, I can see My DMZ DNS is trying to query the 
root hints and I can also see that the DMZ interface on the ISA receives these 
requests but does nothing with them as if there is a routing issue. I think I'm 
calling Microsoft on this one...

Tom
> 
> From: "John Tolmachoff" <isalist@xxxxxxxxxxxx>
> Date: 2003/02/14 Fri AM 10:15:15 EST
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Subject: [isalist] RE: DNS Issue
> 
> http://www.ISAserver.org
> 
> 
> > Thank you for the reply. My Internal interface is pointing to the DMZ
> > DNS as well as local one, I also tried only pointing to the Internal
> > one
> 
> Bad. Only point to Internal.
> 
> > one. My other interfaces do not have any DNS entries. The external DNS
> > has default install with no Zones (only root one) my internal DNS is AD
> > integrated with no root Zone.
> 
> Part of your problem. Get rid of the root zone. Your server is not part of
> IAANA and not part of the Internet root servers. This is one of the worst
> things Microsoft did by allowing a root zone in their DNS servers. It causes
> so many problems.
> 
> > integrated with no root Zone. I found that my internal can query names
> > but not using the DMZ DNS but only using its root servers so I took them
> > out in order for it to use the forwarder to the external DNS. (When I
> 
> Your DMZ DNS server is worthless until you get rid of its root zone.
> 
> > say external I mean the DNS on the DMZ) Why do I need a forwarder on my
> > DMZ DNS? It should be able to query root hints shouldn't it? I can see
> 
> Theoretically, yes. But it will receive faster responses by using your ISP
> DNS servers as forwarders.
> 
> John Tolmachoff MCSE, CSSA
> IT Manager, Network Engineer
> RelianceSoft, Inc.
> Fullerton, CA  92835
> www.reliancesoft.com
> 
> > -----Original Message-----
> > From: Tom Mendelboim [mailto:tomerm1@xxxxxxx]
> > Sent: Thursday, February 13, 2003 9:42 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS Issue
> > 
> > http://www.ISAserver.org
> > 
> > 
> > Thank you for the reply. My Internal interface is pointing to the DMZ
> > DNS as well as local one, I also tried only pointing to the Internal
> > one. My other interfaces do not have any DNS entries. The external DNS
> > has default install with no Zones (only root one) my internal DNS is AD
> > integrated with no root Zone. I found that my internal can query names
> > but not using the DMZ DNS but only using its root servers so I took them
> > out in order for it to use the forwarder to the external DNS. (When I
> > say external I mean the DNS on the DMZ) Why do I need a forwarder on my
> > DMZ DNS? It should be able to query root hints shouldn't it? I can see
> > with a sniffer that my DMZ DNS is requesting for DNS queries from the
> > root hints but the packets going to the ISA DMZ interface will not pass
> > to the external one. I can also see in the ISA log that these packets
> > are allowed (turning the "Allow" logging on).
> > 
> > Thanks,
> > 
> > Tom
> > 
> > -----Original Message-----
> > From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx]
> > Sent: Thursday, February 13, 2003 10:18 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS Issue
> > 
> > http://www.ISAserver.org
> > 
> > 
> > The internal interface of ISA should have the DNS address of the
> > Internal
> > DNS server only.
> > 
> > The DMZ interface of ISA should have blank for the DNS address.
> > 
> > The External interface of ISA should have blank for the DNS address.
> > 
> > On the internal DNS, forwarding should be set to the DNS Server in the
> > DMZ.
> > Do not remove root hints. However, there should be no root zone.
> > 
> > On the DMZ DNS, it should be set to forward to your ISP DNS. What do you
> > mean by default install? Is that an AD integrated zone? Is there a root
> > zone?
> > 
> > Then create packet filters to allow any to query your DMZ DNS server.
> > 
> > Create packet filter to allow your DMZ DNS server to query the whole
> > Internet.
> > 
> > John Tolmachoff MCSE, CSSA
> > IT Manager, Network Engineer
> > RelianceSoft, Inc.
> > Fullerton, CA  92835
> > www.reliancesoft.com
> > 
> > > -----Original Message-----
> > > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx]
> > > Sent: Thursday, February 13, 2003 12:00 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] DNS Issue
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Hello Group!
> > >
> > > I'm working on a test ISA using three home DMZ configuration. (see
> > chart
> > at:
> > > http://members.cox.net/tomerm1/  ) I read both ISA books and can't
> > find
> > proper
> > > configuration to get DNS to resolve names. My ISA dns settings point
> > to
> > both
> > > Internal and External DNS (on the local interface). My Internal DNS
> > has a
> > forwarder
> > > points to the External DNS which is configured as default
> > installation. My
> > internal
> > > DNS is AD integrated and I removed all root hints from AD. I cannot
> > resolve from
> > > either Internal clients using SNAT or the External DNS server. Even
> > the
> > ISA would
> > > not resolve. I tried several packet filters rules with no luck.
> > >
> > > Does anyone know what packet filters I need to get it working???
> > >
> > > Thank you all,
> > >
> > > Tom
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List as:
> > > isalist@xxxxxxxxxxxx
> > > To unsubscribe send a blank email to
> > $subst('Email.Unsub')
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > tomerm1@xxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > isalist@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as: 
> tomerm1@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 



Other related posts: