RE: DNS Question to Jim Harrison
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 14 Nov 2005 20:20:38 -0600
Hi Raj,
OK, but I see only one physcial NIC. How are your getting the ISA
firewall to work that way? You need *two* NICs.
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
> Sent: Monday, November 14, 2005 4:19 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Question to Jim Harrison
>
> http://www.ISAserver.org
>
> Hi Tom,
>
> The DNS search order ignores all other DNS servers in the NIC, if the
> first DNS server replies negatively. However, if you had a second NIC,
> and that and NIC is configured to use a different DNS server, the DNS
> query tries to query the DNS servers assigned in the second NIC. So, I
> created a "Microsoft Loopback NIC", and assigned a 192.x.x.x
> address to
> it. And assigned both the ISPs DNS servers to that Loopback NIC. I
> thought it would just work with just this configuration, but
> it did not.
> Then, I added the ISP DNS servers to my physical NIC as well. Now my
> Internet name searches and DNS queries use the DNS servers
> configured in
> the second NIC. Now my spam SPF and SURBL filters are working
> beautifully.
>
> My NICs are configured as follows,
>
> Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter -
> Onboard -
> Link A:
>
> Connection-specific DNS Suffix . :
> Description : Intel(R) PRO/1000 MT Network Connection
> Physical Address : 00-11-43-32-C3-2B
> DHCP Enabled : No
> IP Address : 10.254.2.5
> Subnet Mask : 255.255.255.0
> Default Gateway : 10.254.2.254
> DNS Servers : 10.254.2.1, 10.254.2.12, 192.157.130.10,
> 192.237.125.2
> Primary WINS Server : 10.254.1.2
>
> Ethernet adapter MS Loopback:
>
> Connection-specific DNS Suffix . :
> Description : Microsoft Loopback Adapter
> Physical Address : 02-00-4C-4F-4F-50
> DHCP Enabled : No
> IP Address : 192.168.0.1
> Subnet Mask : 255.255.255.0
> Default Gateway: none
> DNS Servers : 192.157.130.10, 192.237.125.2
>
> It was a very useful feature to have multiple DNS servers, don't know
> why Microsoft changed the design of the search order. At least they
> should make it a user selectable option whether you want to
> force search
> all DNS servers or just ignore the list if one DNS server responds
> negatively.
>
>
> Regards,
> Raj Periyasamy
> Systems Administrator
> MCSE(Messaging), CCNA
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, November 14, 2005 4:53 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Question to Jim Harrison
>
> http://www.ISAserver.org
>
> Hi Raj,
>
> So how do you get the NIC from not being removed when you get
> a negative
> response? From your initial post, it seems like that is what you're
> seeing, that the NIC is removed after a negative response.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
> > Sent: Monday, November 14, 2005 3:48 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS Question to Jim Harrison
> >
> > http://www.ISAserver.org
> >
> >
> > I take it that you did not read my entire question.
> >
> > I have already found a workaround for the "Microsoft DNS
> > search design",
> > which incidentally even Microsoft technical support did not
> > know about,
> > until I told them how it works. I can now search all DNS
> servers, even
> > if my primary DNS responds negatively. I wanted the DNS
> lookup for the
> > spam filter to perform SPF and SURBL checks. I was just pointing out
> > that your article is incorrect, at least for the 2000/2003/XP world.
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Monday, November 14, 2005 4:38 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS Question to Jim Harrison
> >
> > http://www.ISAserver.org
> >
> > There is no benefit to searching additional DNS servers if
> you get an
> > authoritative "no answer" response.
> > Your internal SMTP server need only have the IP of the relay server.
> > It should not be performing name lookups at all.
> >
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
> > Sent: Monday, November 14, 2005 13:25
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] DNS Question to Jim Harrison
> >
> > http://www.ISAserver.org
> >
> > Hi Jim,
> > I was doing some research on DNS search order for Windows
> Server 2000,
> > and came across your article
> > http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html.
> >
> > My scenarios is, we have an SMTP relay server to relay
> external emails
> > to our ISPs SMTP server through the firewall. The internal
> SMTP server
> > has no direct Internet access or Internet DNS access, only
> > internal DNS
> > access. The Internal DNS does not do DNS forwarding to the
> Internet. I
> > was trying to open up limited Internet DNS access for the
> > internal SMTP
> > server, so that the spam filter can use SPF and SURBL
> checks using the
> > Internet DNS. I configured the DNS as following,
> >
> > DNS1- Internal1
> > DNS2- Internal2
> > DNS3- ISP1
> > DNS4- ISP2
> >
> > With this, NSLOOKUP to Internet works fine. But, all other name
> > resolutions to the Internet fails, such as ping, or the
> GFI's SPF and
> > SURBL checks.
> >
> > As per your article,
> > Quote:
> > W2K uses each DNS resolver in this fashion:
> > 1. NIC1, DNS1
> > 2. NIC2, DNS1
> > 3. NIC1, DNS2
> > 4. NIC2, DNS2
> > ..and so on down the DNS list. Add the whole DNS suffix
> search list to
> > each DNS query, (can be huge in large deployments or those with
> > multi-level domain names), and you have a potential DNS disaster of
> > gargantuan proportions. Another feature of W2K DNS resolver usage is
> > that if one DNS server in the list of a given interface fails
> > to respond
> > (not an "I don't know" answer; that's different), then that
> > whole NIC is
> > blacklisted from the DNS search. So if DNS2 on NIC1 fails to
> > respond to
> > a query, then DNS1 on that interface will also be ignored
> for a while.
> > For those reasons, it's best to place all DNS resolver IPs in the
> > internal ISA NIC.
> > End quote:
> >
> > My theory was exactly what you have written, the DNS lookup
> should go
> > through each DNS server untill a positive response is
> > received, or until
> > there are no more DNS servers in the list to query. I was not
> > sure about
> > the "if one DNS server in the list of a given interface fails
> > to respond
> > (not an "I don't know" answer; that's different), then that
> > whole NIC is
> > blacklisted from the DNS search" part in your article though. What I
> > found out is, if one DNS server in any NIC responds
> > negatively (I don't
> > know reply) to a DNS query, no further DNS servers in that
> NIC will be
> > queried for name resolution of the same query. However, if
> the queried
> > DNS server is not responding, then the query does go the next
> > DNS server
> > in the list. So, in my case, all the DNS queries were just
> > failing after
> > the first internal DNS server responded negatively.
> >
> > So, my question is, is your article still accurate, or has it been
> > outdated? Is there any way to force the Windows Server to
> > search all the
> > DNS in the list regardless of a negative response.
> >
> >
> > HTH.
> > Regards,
> > Raj Periyasamy
> > Systems Administrator
> > MCSE(Messaging), CCNA
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > raj.periyasamy@xxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> raj.periyasamy@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
