RE: DNS Question to Jim Harrison
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 15 Nov 2005 08:45:35 -0600
Hi Raj,
OH! OK, I get it.
Thanks!
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
> Sent: Tuesday, November 15, 2005 8:21 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Question to Jim Harrison
>
> http://www.ISAserver.org
>
> Hi Tom,
> The server is not an ISA server, its an SMTP relay server
> which acts as
> the gateway for mail routing and spam filtering.
>
>
> HTH.
> Regards,
> Raj Periyasamy
> Systems Administrator
> MCSE(Messaging), CCNA
>
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Monday, November 14, 2005 9:21 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Question to Jim Harrison
>
> http://www.ISAserver.org
>
> Hi Raj,
>
> OK, but I see only one physcial NIC. How are your getting the ISA
> firewall to work that way? You need *two* NICs.
>
> Thanks!
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
> > Sent: Monday, November 14, 2005 4:19 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS Question to Jim Harrison
> >
> > http://www.ISAserver.org
> >
> > Hi Tom,
> >
> > The DNS search order ignores all other DNS servers in the
> NIC, if the
> > first DNS server replies negatively. However, if you had a
> second NIC,
> > and that and NIC is configured to use a different DNS
> server, the DNS
> > query tries to query the DNS servers assigned in the second
> NIC. So, I
> > created a "Microsoft Loopback NIC", and assigned a 192.x.x.x
> > address to
> > it. And assigned both the ISPs DNS servers to that Loopback NIC. I
> > thought it would just work with just this configuration, but
> > it did not.
> > Then, I added the ISP DNS servers to my physical NIC as well. Now my
> > Internet name searches and DNS queries use the DNS servers
> > configured in
> > the second NIC. Now my spam SPF and SURBL filters are working
> > beautifully.
> >
> > My NICs are configured as follows,
> >
> > Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter -
> > Onboard -
> > Link A:
> >
> > Connection-specific DNS Suffix . :
> > Description : Intel(R) PRO/1000 MT Network Connection
> > Physical Address : 00-11-43-32-C3-2B
> > DHCP Enabled : No
> > IP Address : 10.254.2.5
> > Subnet Mask : 255.255.255.0
> > Default Gateway : 10.254.2.254
> > DNS Servers : 10.254.2.1, 10.254.2.12, 192.157.130.10,
> > 192.237.125.2
> > Primary WINS Server : 10.254.1.2
> >
> > Ethernet adapter MS Loopback:
> >
> > Connection-specific DNS Suffix . :
> > Description : Microsoft Loopback Adapter
> > Physical Address : 02-00-4C-4F-4F-50
> > DHCP Enabled : No
> > IP Address : 192.168.0.1
> > Subnet Mask : 255.255.255.0
> > Default Gateway: none
> > DNS Servers : 192.157.130.10, 192.237.125.2
> >
> > It was a very useful feature to have multiple DNS servers,
> don't know
> > why Microsoft changed the design of the search order. At least they
> > should make it a user selectable option whether you want to
> > force search
> > all DNS servers or just ignore the list if one DNS server responds
> > negatively.
> >
> >
> > Regards,
> > Raj Periyasamy
> > Systems Administrator
> > MCSE(Messaging), CCNA
> >
> >
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > Sent: Monday, November 14, 2005 4:53 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: DNS Question to Jim Harrison
> >
> > http://www.ISAserver.org
> >
> > Hi Raj,
> >
> > So how do you get the NIC from not being removed when you get
> > a negative
> > response? From your initial post, it seems like that is what you're
> > seeing, that the NIC is removed after a negative response.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> >
> >
> >
> > > -----Original Message-----
> > > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
> > > Sent: Monday, November 14, 2005 3:48 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: DNS Question to Jim Harrison
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > I take it that you did not read my entire question.
> > >
> > > I have already found a workaround for the "Microsoft DNS
> > > search design",
> > > which incidentally even Microsoft technical support did not
> > > know about,
> > > until I told them how it works. I can now search all DNS
> > servers, even
> > > if my primary DNS responds negatively. I wanted the DNS
> > lookup for the
> > > spam filter to perform SPF and SURBL checks. I was just
> pointing out
> > > that your article is incorrect, at least for the
> 2000/2003/XP world.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: Monday, November 14, 2005 4:38 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: DNS Question to Jim Harrison
> > >
> > > http://www.ISAserver.org
> > >
> > > There is no benefit to searching additional DNS servers if
> > you get an
> > > authoritative "no answer" response.
> > > Your internal SMTP server need only have the IP of the
> relay server.
> > > It should not be performing name lookups at all.
> > >
> > >
> > > -------------------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > -------------------------------------------------------
> > >
> > >
> > > -----Original Message-----
> > > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
> > > Sent: Monday, November 14, 2005 13:25
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] DNS Question to Jim Harrison
> > >
> > > http://www.ISAserver.org
> > >
> > > Hi Jim,
> > > I was doing some research on DNS search order for Windows
> > Server 2000,
> > > and came across your article
> > > http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html.
> > >
> > > My scenarios is, we have an SMTP relay server to relay
> > external emails
> > > to our ISPs SMTP server through the firewall. The internal
> > SMTP server
> > > has no direct Internet access or Internet DNS access, only
> > > internal DNS
> > > access. The Internal DNS does not do DNS forwarding to the
> > Internet. I
> > > was trying to open up limited Internet DNS access for the
> > > internal SMTP
> > > server, so that the spam filter can use SPF and SURBL
> > checks using the
> > > Internet DNS. I configured the DNS as following,
> > >
> > > DNS1- Internal1
> > > DNS2- Internal2
> > > DNS3- ISP1
> > > DNS4- ISP2
> > >
> > > With this, NSLOOKUP to Internet works fine. But, all other name
> > > resolutions to the Internet fails, such as ping, or the
> > GFI's SPF and
> > > SURBL checks.
> > >
> > > As per your article,
> > > Quote:
> > > W2K uses each DNS resolver in this fashion:
> > > 1. NIC1, DNS1
> > > 2. NIC2, DNS1
> > > 3. NIC1, DNS2
> > > 4. NIC2, DNS2
> > > ..and so on down the DNS list. Add the whole DNS suffix
> > search list to
> > > each DNS query, (can be huge in large deployments or those with
> > > multi-level domain names), and you have a potential DNS
> disaster of
> > > gargantuan proportions. Another feature of W2K DNS
> resolver usage is
> > > that if one DNS server in the list of a given interface fails
> > > to respond
> > > (not an "I don't know" answer; that's different), then that
> > > whole NIC is
> > > blacklisted from the DNS search. So if DNS2 on NIC1 fails to
> > > respond to
> > > a query, then DNS1 on that interface will also be ignored
> > for a while.
> > > For those reasons, it's best to place all DNS resolver IPs in the
> > > internal ISA NIC.
> > > End quote:
> > >
> > > My theory was exactly what you have written, the DNS lookup
> > should go
> > > through each DNS server untill a positive response is
> > > received, or until
> > > there are no more DNS servers in the list to query. I was not
> > > sure about
> > > the "if one DNS server in the list of a given interface fails
> > > to respond
> > > (not an "I don't know" answer; that's different), then that
> > > whole NIC is
> > > blacklisted from the DNS search" part in your article
> though. What I
> > > found out is, if one DNS server in any NIC responds
> > > negatively (I don't
> > > know reply) to a DNS query, no further DNS servers in that
> > NIC will be
> > > queried for name resolution of the same query. However, if
> > the queried
> > > DNS server is not responding, then the query does go the next
> > > DNS server
> > > in the list. So, in my case, all the DNS queries were just
> > > failing after
> > > the first internal DNS server responded negatively.
> > >
> > > So, my question is, is your article still accurate, or has it been
> > > outdated? Is there any way to force the Windows Server to
> > > search all the
> > > DNS in the list regardless of a negative response.
> > >
> > >
> > > HTH.
> > > Regards,
> > > Raj Periyasamy
> > > Systems Administrator
> > > MCSE(Messaging), CCNA
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > jim@xxxxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > raj.periyasamy@xxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion
> > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > raj.periyasamy@xxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> raj.periyasamy@xxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
