Thanks, you must be the new assistant here... ________________________________ From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] Sent: Monday, November 14, 2005 4:33 PM To: [ISAserver.org Discussion List] Subject: RE: [isalist] DNS Question to Jim Harrison Jim no longer works here.. im case of emergency contact the helpdesk ________________________________ From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] Sent: Tue 15/11/2005 8:24 AM To: [ISAserver.org Discussion List] Subject: [isalist] DNS Question to Jim Harrison http://www.ISAserver.org Hi Jim, I was doing some research on DNS search order for Windows Server 2000, and came across your article http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html. My scenarios is, we have an SMTP relay server to relay external emails to our ISPs SMTP server through the firewall. The internal SMTP server has no direct Internet access or Internet DNS access, only internal DNS access. The Internal DNS does not do DNS forwarding to the Internet. I was trying to open up limited Internet DNS access for the internal SMTP server, so that the spam filter can use SPF and SURBL checks using the Internet DNS. I configured the DNS as following, DNS1- Internal1 DNS2- Internal2 DNS3- ISP1 DNS4- ISP2 With this, NSLOOKUP to Internet works fine. But, all other name resolutions to the Internet fails, such as ping, or the GFI's SPF and SURBL checks. As per your article, Quote: W2K uses each DNS resolver in this fashion: 1. NIC1, DNS1 2. NIC2, DNS1 3. NIC1, DNS2 4. NIC2, DNS2 ..and so on down the DNS list. Add the whole DNS suffix search list to each DNS query, (can be huge in large deployments or those with multi-level domain names), and you have a potential DNS disaster of gargantuan proportions. Another feature of W2K DNS resolver usage is that if one DNS server in the list of a given interface fails to respond (not an "I don't know" answer; that's different), then that whole NIC is blacklisted from the DNS search. So if DNS2 on NIC1 fails to respond to a query, then DNS1 on that interface will also be ignored for a while. For those reasons, it's best to place all DNS resolver IPs in the internal ISA NIC. End quote: My theory was exactly what you have written, the DNS lookup should go through each DNS server untill a positive response is received, or until there are no more DNS servers in the list to query. I was not sure about the "if one DNS server in the list of a given interface fails to respond (not an "I don't know" answer; that's different), then that whole NIC is blacklisted from the DNS search" part in your article though. What I found out is, if one DNS server in any NIC responds negatively (I don't know reply) to a DNS query, no further DNS servers in that NIC will be queried for name resolution of the same query. However, if the queried DNS server is not responding, then the query does go the next DNS server in the list. So, in my case, all the DNS queries were just failing after the first internal DNS server responded negatively. So, my question is, is your article still accurate, or has it been outdated? Is there any way to force the Windows Server to search all the DNS in the list regardless of a negative response. HTH. Regards, Raj Periyasamy Systems Administrator MCSE(Messaging), CCNA ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx