Hi Raj, So how do you get the NIC from not being removed when you get a negative response? From your initial post, it seems like that is what you're seeing, that the NIC is removed after a negative response. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] > Sent: Monday, November 14, 2005 3:48 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: DNS Question to Jim Harrison > > http://www.ISAserver.org > > > I take it that you did not read my entire question. > > I have already found a workaround for the "Microsoft DNS > search design", > which incidentally even Microsoft technical support did not > know about, > until I told them how it works. I can now search all DNS servers, even > if my primary DNS responds negatively. I wanted the DNS lookup for the > spam filter to perform SPF and SURBL checks. I was just pointing out > that your article is incorrect, at least for the 2000/2003/XP world. > > > > > > > > > -----Original Message----- > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] > Sent: Monday, November 14, 2005 4:38 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: DNS Question to Jim Harrison > > http://www.ISAserver.org > > There is no benefit to searching additional DNS servers if you get an > authoritative "no answer" response. > Your internal SMTP server need only have the IP of the relay server. > It should not be performing name lookups at all. > > > ------------------------------------------------------- > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > ------------------------------------------------------- > > > -----Original Message----- > From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] > Sent: Monday, November 14, 2005 13:25 > To: [ISAserver.org Discussion List] > Subject: [isalist] DNS Question to Jim Harrison > > http://www.ISAserver.org > > Hi Jim, > I was doing some research on DNS search order for Windows Server 2000, > and came across your article > http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html. > > My scenarios is, we have an SMTP relay server to relay external emails > to our ISPs SMTP server through the firewall. The internal SMTP server > has no direct Internet access or Internet DNS access, only > internal DNS > access. The Internal DNS does not do DNS forwarding to the Internet. I > was trying to open up limited Internet DNS access for the > internal SMTP > server, so that the spam filter can use SPF and SURBL checks using the > Internet DNS. I configured the DNS as following, > > DNS1- Internal1 > DNS2- Internal2 > DNS3- ISP1 > DNS4- ISP2 > > With this, NSLOOKUP to Internet works fine. But, all other name > resolutions to the Internet fails, such as ping, or the GFI's SPF and > SURBL checks. > > As per your article, > Quote: > W2K uses each DNS resolver in this fashion: > 1. NIC1, DNS1 > 2. NIC2, DNS1 > 3. NIC1, DNS2 > 4. NIC2, DNS2 > ..and so on down the DNS list. Add the whole DNS suffix search list to > each DNS query, (can be huge in large deployments or those with > multi-level domain names), and you have a potential DNS disaster of > gargantuan proportions. Another feature of W2K DNS resolver usage is > that if one DNS server in the list of a given interface fails > to respond > (not an "I don't know" answer; that's different), then that > whole NIC is > blacklisted from the DNS search. So if DNS2 on NIC1 fails to > respond to > a query, then DNS1 on that interface will also be ignored for a while. > For those reasons, it's best to place all DNS resolver IPs in the > internal ISA NIC. > End quote: > > My theory was exactly what you have written, the DNS lookup should go > through each DNS server untill a positive response is > received, or until > there are no more DNS servers in the list to query. I was not > sure about > the "if one DNS server in the list of a given interface fails > to respond > (not an "I don't know" answer; that's different), then that > whole NIC is > blacklisted from the DNS search" part in your article though. What I > found out is, if one DNS server in any NIC responds > negatively (I don't > know reply) to a DNS query, no further DNS servers in that NIC will be > queried for name resolution of the same query. However, if the queried > DNS server is not responding, then the query does go the next > DNS server > in the list. So, in my case, all the DNS queries were just > failing after > the first internal DNS server responded negatively. > > So, my question is, is your article still accurate, or has it been > outdated? Is there any way to force the Windows Server to > search all the > DNS in the list regardless of a negative response. > > > HTH. > Regards, > Raj Periyasamy > Systems Administrator > MCSE(Messaging), CCNA > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > All mail to and from this domain is GFI-scanned. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > raj.periyasamy@xxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >