Thank you for the support John. However, I misled you regarding my DNS on the DMZ. My DNS on the DMZ has a zone for my domain and no root zone. I meant to say that the root hints (under server properties) are still there. The odd thing is when I sniff the network, I can see My DMZ DNS is trying to query the root hints and I can also see that the DMZ interface on the ISA receives these requests but does nothing with them as if there is a routing issue. I think I'm calling Microsoft on this one... Tom > > From: "John Tolmachoff" <isalist@xxxxxxxxxxxx> > Date: 2003/02/14 Fri AM 10:15:15 EST > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Subject: [isalist] RE: DNS Issue > > http://www.ISAserver.org > > > > Thank you for the reply. My Internal interface is pointing to the DMZ > > DNS as well as local one, I also tried only pointing to the Internal > > one > > Bad. Only point to Internal. > > > one. My other interfaces do not have any DNS entries. The external DNS > > has default install with no Zones (only root one) my internal DNS is AD > > integrated with no root Zone. > > Part of your problem. Get rid of the root zone. Your server is not part of > IAANA and not part of the Internet root servers. This is one of the worst > things Microsoft did by allowing a root zone in their DNS servers. It causes > so many problems. > > > integrated with no root Zone. I found that my internal can query names > > but not using the DMZ DNS but only using its root servers so I took them > > out in order for it to use the forwarder to the external DNS. (When I > > Your DMZ DNS server is worthless until you get rid of its root zone. > > > say external I mean the DNS on the DMZ) Why do I need a forwarder on my > > DMZ DNS? It should be able to query root hints shouldn't it? I can see > > Theoretically, yes. But it will receive faster responses by using your ISP > DNS servers as forwarders. > > John Tolmachoff MCSE, CSSA > IT Manager, Network Engineer > RelianceSoft, Inc. > Fullerton, CA 92835 > www.reliancesoft.com > > > -----Original Message----- > > From: Tom Mendelboim [mailto:tomerm1@xxxxxxx] > > Sent: Thursday, February 13, 2003 9:42 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: DNS Issue > > > > http://www.ISAserver.org > > > > > > Thank you for the reply. My Internal interface is pointing to the DMZ > > DNS as well as local one, I also tried only pointing to the Internal > > one. My other interfaces do not have any DNS entries. The external DNS > > has default install with no Zones (only root one) my internal DNS is AD > > integrated with no root Zone. I found that my internal can query names > > but not using the DMZ DNS but only using its root servers so I took them > > out in order for it to use the forwarder to the external DNS. (When I > > say external I mean the DNS on the DMZ) Why do I need a forwarder on my > > DMZ DNS? It should be able to query root hints shouldn't it? I can see > > with a sniffer that my DMZ DNS is requesting for DNS queries from the > > root hints but the packets going to the ISA DMZ interface will not pass > > to the external one. I can also see in the ISA log that these packets > > are allowed (turning the "Allow" logging on). > > > > Thanks, > > > > Tom > > > > -----Original Message----- > > From: John Tolmachoff [mailto:isalist@xxxxxxxxxxxx] > > Sent: Thursday, February 13, 2003 10:18 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: DNS Issue > > > > http://www.ISAserver.org > > > > > > The internal interface of ISA should have the DNS address of the > > Internal > > DNS server only. > > > > The DMZ interface of ISA should have blank for the DNS address. > > > > The External interface of ISA should have blank for the DNS address. > > > > On the internal DNS, forwarding should be set to the DNS Server in the > > DMZ. > > Do not remove root hints. However, there should be no root zone. > > > > On the DMZ DNS, it should be set to forward to your ISP DNS. What do you > > mean by default install? Is that an AD integrated zone? Is there a root > > zone? > > > > Then create packet filters to allow any to query your DMZ DNS server. > > > > Create packet filter to allow your DMZ DNS server to query the whole > > Internet. > > > > John Tolmachoff MCSE, CSSA > > IT Manager, Network Engineer > > RelianceSoft, Inc. > > Fullerton, CA 92835 > > www.reliancesoft.com > > > > > -----Original Message----- > > > From: tomerm1@xxxxxxx [mailto:tomerm1@xxxxxxx] > > > Sent: Thursday, February 13, 2003 12:00 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] DNS Issue > > > > > > http://www.ISAserver.org > > > > > > > > > Hello Group! > > > > > > I'm working on a test ISA using three home DMZ configuration. (see > > chart > > at: > > > http://members.cox.net/tomerm1/ ) I read both ISA books and can't > > find > > proper > > > configuration to get DNS to resolve names. My ISA dns settings point > > to > > both > > > Internal and External DNS (on the local interface). My Internal DNS > > has a > > forwarder > > > points to the External DNS which is configured as default > > installation. My > > internal > > > DNS is AD integrated and I removed all root hints from AD. I cannot > > resolve from > > > either Internal clients using SNAT or the External DNS server. Even > > the > > ISA would > > > not resolve. I tried several packet filters rules with no luck. > > > > > > Does anyone know what packet filters I need to get it working??? > > > > > > Thank you all, > > > > > > Tom > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Exchange Server Resource Site: http://www.msexchange.org/ > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion List as: > > > isalist@xxxxxxxxxxxx > > > To unsubscribe send a blank email to > > $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Exchange Server Resource Site: http://www.msexchange.org/ > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > tomerm1@xxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Exchange Server Resource Site: http://www.msexchange.org/ > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > isalist@xxxxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tomerm1@xxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') >