Hi Raj, OK, but I see only one physcial NIC. How are your getting the ISA firewall to work that way? You need *two* NICs. Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] > Sent: Monday, November 14, 2005 4:19 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: DNS Question to Jim Harrison > > http://www.ISAserver.org > > Hi Tom, > > The DNS search order ignores all other DNS servers in the NIC, if the > first DNS server replies negatively. However, if you had a second NIC, > and that and NIC is configured to use a different DNS server, the DNS > query tries to query the DNS servers assigned in the second NIC. So, I > created a "Microsoft Loopback NIC", and assigned a 192.x.x.x > address to > it. And assigned both the ISPs DNS servers to that Loopback NIC. I > thought it would just work with just this configuration, but > it did not. > Then, I added the ISP DNS servers to my physical NIC as well. Now my > Internet name searches and DNS queries use the DNS servers > configured in > the second NIC. Now my spam SPF and SURBL filters are working > beautifully. > > My NICs are configured as follows, > > Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter - > Onboard - > Link A: > > Connection-specific DNS Suffix . : > Description : Intel(R) PRO/1000 MT Network Connection > Physical Address : 00-11-43-32-C3-2B > DHCP Enabled : No > IP Address : 10.254.2.5 > Subnet Mask : 255.255.255.0 > Default Gateway : 10.254.2.254 > DNS Servers : 10.254.2.1, 10.254.2.12, 192.157.130.10, > 192.237.125.2 > Primary WINS Server : 10.254.1.2 > > Ethernet adapter MS Loopback: > > Connection-specific DNS Suffix . : > Description : Microsoft Loopback Adapter > Physical Address : 02-00-4C-4F-4F-50 > DHCP Enabled : No > IP Address : 192.168.0.1 > Subnet Mask : 255.255.255.0 > Default Gateway: none > DNS Servers : 192.157.130.10, 192.237.125.2 > > It was a very useful feature to have multiple DNS servers, don't know > why Microsoft changed the design of the search order. At least they > should make it a user selectable option whether you want to > force search > all DNS servers or just ignore the list if one DNS server responds > negatively. > > > Regards, > Raj Periyasamy > Systems Administrator > MCSE(Messaging), CCNA > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Monday, November 14, 2005 4:53 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: DNS Question to Jim Harrison > > http://www.ISAserver.org > > Hi Raj, > > So how do you get the NIC from not being removed when you get > a negative > response? From your initial post, it seems like that is what you're > seeing, that the NIC is removed after a negative response. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] > > Sent: Monday, November 14, 2005 3:48 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: DNS Question to Jim Harrison > > > > http://www.ISAserver.org > > > > > > I take it that you did not read my entire question. > > > > I have already found a workaround for the "Microsoft DNS > > search design", > > which incidentally even Microsoft technical support did not > > know about, > > until I told them how it works. I can now search all DNS > servers, even > > if my primary DNS responds negatively. I wanted the DNS > lookup for the > > spam filter to perform SPF and SURBL checks. I was just pointing out > > that your article is incorrect, at least for the 2000/2003/XP world. > > > > > > > > > > > > > > > > > > -----Original Message----- > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > Sent: Monday, November 14, 2005 4:38 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: DNS Question to Jim Harrison > > > > http://www.ISAserver.org > > > > There is no benefit to searching additional DNS servers if > you get an > > authoritative "no answer" response. > > Your internal SMTP server need only have the IP of the relay server. > > It should not be performing name lookups at all. > > > > > > ------------------------------------------------------- > > Jim Harrison > > MCP(NT4, W2K), A+, Network+, PCG > > http://isaserver.org/Jim_Harrison/ > > http://isatools.org > > Read the help / books / articles! > > ------------------------------------------------------- > > > > > > -----Original Message----- > > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] > > Sent: Monday, November 14, 2005 13:25 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] DNS Question to Jim Harrison > > > > http://www.ISAserver.org > > > > Hi Jim, > > I was doing some research on DNS search order for Windows > Server 2000, > > and came across your article > > http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html. > > > > My scenarios is, we have an SMTP relay server to relay > external emails > > to our ISPs SMTP server through the firewall. The internal > SMTP server > > has no direct Internet access or Internet DNS access, only > > internal DNS > > access. The Internal DNS does not do DNS forwarding to the > Internet. I > > was trying to open up limited Internet DNS access for the > > internal SMTP > > server, so that the spam filter can use SPF and SURBL > checks using the > > Internet DNS. I configured the DNS as following, > > > > DNS1- Internal1 > > DNS2- Internal2 > > DNS3- ISP1 > > DNS4- ISP2 > > > > With this, NSLOOKUP to Internet works fine. But, all other name > > resolutions to the Internet fails, such as ping, or the > GFI's SPF and > > SURBL checks. > > > > As per your article, > > Quote: > > W2K uses each DNS resolver in this fashion: > > 1. NIC1, DNS1 > > 2. NIC2, DNS1 > > 3. NIC1, DNS2 > > 4. NIC2, DNS2 > > ..and so on down the DNS list. Add the whole DNS suffix > search list to > > each DNS query, (can be huge in large deployments or those with > > multi-level domain names), and you have a potential DNS disaster of > > gargantuan proportions. Another feature of W2K DNS resolver usage is > > that if one DNS server in the list of a given interface fails > > to respond > > (not an "I don't know" answer; that's different), then that > > whole NIC is > > blacklisted from the DNS search. So if DNS2 on NIC1 fails to > > respond to > > a query, then DNS1 on that interface will also be ignored > for a while. > > For those reasons, it's best to place all DNS resolver IPs in the > > internal ISA NIC. > > End quote: > > > > My theory was exactly what you have written, the DNS lookup > should go > > through each DNS server untill a positive response is > > received, or until > > there are no more DNS servers in the list to query. I was not > > sure about > > the "if one DNS server in the list of a given interface fails > > to respond > > (not an "I don't know" answer; that's different), then that > > whole NIC is > > blacklisted from the DNS search" part in your article though. What I > > found out is, if one DNS server in any NIC responds > > negatively (I don't > > know reply) to a DNS query, no further DNS servers in that > NIC will be > > queried for name resolution of the same query. However, if > the queried > > DNS server is not responding, then the query does go the next > > DNS server > > in the list. So, in my case, all the DNS queries were just > > failing after > > the first internal DNS server responded negatively. > > > > So, my question is, is your article still accurate, or has it been > > outdated? Is there any way to force the Windows Server to > > search all the > > DNS in the list regardless of a negative response. > > > > > > HTH. > > Regards, > > Raj Periyasamy > > Systems Administrator > > MCSE(Messaging), CCNA > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > jim@xxxxxxxxxxxx To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > All mail to and from this domain is GFI-scanned. > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > raj.periyasamy@xxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > raj.periyasamy@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >