DNS Question to Jim Harrison
- From: "Periyasamy, Raj" <Raj.Periyasamy@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 14 Nov 2005 16:24:58 -0500
Hi Jim,
I was doing some research on DNS search order for Windows Server 2000,
and came across your article
http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html.
My scenarios is, we have an SMTP relay server to relay external emails
to our ISPs SMTP server through the firewall. The internal SMTP server
has no direct Internet access or Internet DNS access, only internal DNS
access. The Internal DNS does not do DNS forwarding to the Internet. I
was trying to open up limited Internet DNS access for the internal SMTP
server, so that the spam filter can use SPF and SURBL checks using the
Internet DNS. I configured the DNS as following,
DNS1- Internal1
DNS2- Internal2
DNS3- ISP1
DNS4- ISP2
With this, NSLOOKUP to Internet works fine. But, all other name
resolutions to the Internet fails, such as ping, or the GFI's SPF and
SURBL checks.
As per your article,
Quote:
W2K uses each DNS resolver in this fashion:
1. NIC1, DNS1
2. NIC2, DNS1
3. NIC1, DNS2
4. NIC2, DNS2
..and so on down the DNS list. Add the whole DNS suffix search list to
each DNS query, (can be huge in large deployments or those with
multi-level domain names), and you have a potential DNS disaster of
gargantuan proportions. Another feature of W2K DNS resolver usage is
that if one DNS server in the list of a given interface fails to respond
(not an "I don't know" answer; that's different), then that whole NIC is
blacklisted from the DNS search. So if DNS2 on NIC1 fails to respond to
a query, then DNS1 on that interface will also be ignored for a while.
For those reasons, it's best to place all DNS resolver IPs in the
internal ISA NIC.
End quote:
My theory was exactly what you have written, the DNS lookup should go
through each DNS server untill a positive response is received, or until
there are no more DNS servers in the list to query. I was not sure about
the "if one DNS server in the list of a given interface fails to respond
(not an "I don't know" answer; that's different), then that whole NIC is
blacklisted from the DNS search" part in your article though. What I
found out is, if one DNS server in any NIC responds negatively (I don't
know reply) to a DNS query, no further DNS servers in that NIC will be
queried for name resolution of the same query. However, if the queried
DNS server is not responding, then the query does go the next DNS server
in the list. So, in my case, all the DNS queries were just failing after
the first internal DNS server responded negatively.
So, my question is, is your article still accurate, or has it been
outdated? Is there any way to force the Windows Server to search all the
DNS in the list regardless of a negative response.
HTH.
Regards,
Raj Periyasamy
Systems Administrator
MCSE(Messaging), CCNA
Other related posts:
