Hi Raj, OH! OK, I get it. Thanks! Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] > Sent: Tuesday, November 15, 2005 8:21 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: DNS Question to Jim Harrison > > http://www.ISAserver.org > > Hi Tom, > The server is not an ISA server, its an SMTP relay server > which acts as > the gateway for mail routing and spam filtering. > > > HTH. > Regards, > Raj Periyasamy > Systems Administrator > MCSE(Messaging), CCNA > > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > Sent: Monday, November 14, 2005 9:21 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: DNS Question to Jim Harrison > > http://www.ISAserver.org > > Hi Raj, > > OK, but I see only one physcial NIC. How are your getting the ISA > firewall to work that way? You need *two* NICs. > > Thanks! > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] > > Sent: Monday, November 14, 2005 4:19 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: DNS Question to Jim Harrison > > > > http://www.ISAserver.org > > > > Hi Tom, > > > > The DNS search order ignores all other DNS servers in the > NIC, if the > > first DNS server replies negatively. However, if you had a > second NIC, > > and that and NIC is configured to use a different DNS > server, the DNS > > query tries to query the DNS servers assigned in the second > NIC. So, I > > created a "Microsoft Loopback NIC", and assigned a 192.x.x.x > > address to > > it. And assigned both the ISPs DNS servers to that Loopback NIC. I > > thought it would just work with just this configuration, but > > it did not. > > Then, I added the ISP DNS servers to my physical NIC as well. Now my > > Internet name searches and DNS queries use the DNS servers > > configured in > > the second NIC. Now my spam SPF and SURBL filters are working > > beautifully. > > > > My NICs are configured as follows, > > > > Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter - > > Onboard - > > Link A: > > > > Connection-specific DNS Suffix . : > > Description : Intel(R) PRO/1000 MT Network Connection > > Physical Address : 00-11-43-32-C3-2B > > DHCP Enabled : No > > IP Address : 10.254.2.5 > > Subnet Mask : 255.255.255.0 > > Default Gateway : 10.254.2.254 > > DNS Servers : 10.254.2.1, 10.254.2.12, 192.157.130.10, > > 192.237.125.2 > > Primary WINS Server : 10.254.1.2 > > > > Ethernet adapter MS Loopback: > > > > Connection-specific DNS Suffix . : > > Description : Microsoft Loopback Adapter > > Physical Address : 02-00-4C-4F-4F-50 > > DHCP Enabled : No > > IP Address : 192.168.0.1 > > Subnet Mask : 255.255.255.0 > > Default Gateway: none > > DNS Servers : 192.157.130.10, 192.237.125.2 > > > > It was a very useful feature to have multiple DNS servers, > don't know > > why Microsoft changed the design of the search order. At least they > > should make it a user selectable option whether you want to > > force search > > all DNS servers or just ignore the list if one DNS server responds > > negatively. > > > > > > Regards, > > Raj Periyasamy > > Systems Administrator > > MCSE(Messaging), CCNA > > > > > > -----Original Message----- > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] > > Sent: Monday, November 14, 2005 4:53 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: DNS Question to Jim Harrison > > > > http://www.ISAserver.org > > > > Hi Raj, > > > > So how do you get the NIC from not being removed when you get > > a negative > > response? From your initial post, it seems like that is what you're > > seeing, that the NIC is removed after a negative response. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > **Who is John Galt?** > > > > > > > > > -----Original Message----- > > > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] > > > Sent: Monday, November 14, 2005 3:48 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: DNS Question to Jim Harrison > > > > > > http://www.ISAserver.org > > > > > > > > > I take it that you did not read my entire question. > > > > > > I have already found a workaround for the "Microsoft DNS > > > search design", > > > which incidentally even Microsoft technical support did not > > > know about, > > > until I told them how it works. I can now search all DNS > > servers, even > > > if my primary DNS responds negatively. I wanted the DNS > > lookup for the > > > spam filter to perform SPF and SURBL checks. I was just > pointing out > > > that your article is incorrect, at least for the > 2000/2003/XP world. > > > > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > > > Sent: Monday, November 14, 2005 4:38 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: DNS Question to Jim Harrison > > > > > > http://www.ISAserver.org > > > > > > There is no benefit to searching additional DNS servers if > > you get an > > > authoritative "no answer" response. > > > Your internal SMTP server need only have the IP of the > relay server. > > > It should not be performing name lookups at all. > > > > > > > > > ------------------------------------------------------- > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://isaserver.org/Jim_Harrison/ > > > http://isatools.org > > > Read the help / books / articles! > > > ------------------------------------------------------- > > > > > > > > > -----Original Message----- > > > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] > > > Sent: Monday, November 14, 2005 13:25 > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] DNS Question to Jim Harrison > > > > > > http://www.ISAserver.org > > > > > > Hi Jim, > > > I was doing some research on DNS search order for Windows > > Server 2000, > > > and came across your article > > > http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html. > > > > > > My scenarios is, we have an SMTP relay server to relay > > external emails > > > to our ISPs SMTP server through the firewall. The internal > > SMTP server > > > has no direct Internet access or Internet DNS access, only > > > internal DNS > > > access. The Internal DNS does not do DNS forwarding to the > > Internet. I > > > was trying to open up limited Internet DNS access for the > > > internal SMTP > > > server, so that the spam filter can use SPF and SURBL > > checks using the > > > Internet DNS. I configured the DNS as following, > > > > > > DNS1- Internal1 > > > DNS2- Internal2 > > > DNS3- ISP1 > > > DNS4- ISP2 > > > > > > With this, NSLOOKUP to Internet works fine. But, all other name > > > resolutions to the Internet fails, such as ping, or the > > GFI's SPF and > > > SURBL checks. > > > > > > As per your article, > > > Quote: > > > W2K uses each DNS resolver in this fashion: > > > 1. NIC1, DNS1 > > > 2. NIC2, DNS1 > > > 3. NIC1, DNS2 > > > 4. NIC2, DNS2 > > > ..and so on down the DNS list. Add the whole DNS suffix > > search list to > > > each DNS query, (can be huge in large deployments or those with > > > multi-level domain names), and you have a potential DNS > disaster of > > > gargantuan proportions. Another feature of W2K DNS > resolver usage is > > > that if one DNS server in the list of a given interface fails > > > to respond > > > (not an "I don't know" answer; that's different), then that > > > whole NIC is > > > blacklisted from the DNS search. So if DNS2 on NIC1 fails to > > > respond to > > > a query, then DNS1 on that interface will also be ignored > > for a while. > > > For those reasons, it's best to place all DNS resolver IPs in the > > > internal ISA NIC. > > > End quote: > > > > > > My theory was exactly what you have written, the DNS lookup > > should go > > > through each DNS server untill a positive response is > > > received, or until > > > there are no more DNS servers in the list to query. I was not > > > sure about > > > the "if one DNS server in the list of a given interface fails > > > to respond > > > (not an "I don't know" answer; that's different), then that > > > whole NIC is > > > blacklisted from the DNS search" part in your article > though. What I > > > found out is, if one DNS server in any NIC responds > > > negatively (I don't > > > know reply) to a DNS query, no further DNS servers in that > > NIC will be > > > queried for name resolution of the same query. However, if > > the queried > > > DNS server is not responding, then the query does go the next > > > DNS server > > > in the list. So, in my case, all the DNS queries were just > > > failing after > > > the first internal DNS server responded negatively. > > > > > > So, my question is, is your article still accurate, or has it been > > > outdated? Is there any way to force the Windows Server to > > > search all the > > > DNS in the list regardless of a negative response. > > > > > > > > > HTH. > > > Regards, > > > Raj Periyasamy > > > Systems Administrator > > > MCSE(Messaging), CCNA > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > jim@xxxxxxxxxxxx To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > raj.periyasamy@xxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > raj.periyasamy@xxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > raj.periyasamy@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >