RE: DNS Question to Jim Harrison

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 14 Nov 2005 15:52:49 -0600

Hi Raj,

So how do you get the NIC from not being removed when you get a negative
response? From your initial post, it seems like that is what you're
seeing, that the NIC is removed after a negative response.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] 
> Sent: Monday, November 14, 2005 3:48 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Question to Jim Harrison
> 
> http://www.ISAserver.org
> 
> 
> I take it that you did not read my entire question.
> 
> I have already found a workaround for the "Microsoft DNS 
> search design",
> which incidentally even Microsoft technical support did not 
> know about,
> until I told them how it works. I can now search all DNS servers, even
> if my primary DNS responds negatively. I wanted the DNS lookup for the
> spam filter to perform SPF and SURBL checks. I was just pointing out
> that your article is incorrect, at least for the 2000/2003/XP world.
> 
> 
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Monday, November 14, 2005 4:38 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: DNS Question to Jim Harrison
> 
> http://www.ISAserver.org
> 
> There is no benefit to searching additional DNS servers if you get an
> authoritative "no answer" response. 
> Your internal SMTP server need only have the IP of the relay server.
> It should not be performing name lookups at all.
> 
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] 
> Sent: Monday, November 14, 2005 13:25
> To: [ISAserver.org Discussion List]
> Subject: [isalist] DNS Question to Jim Harrison
> 
> http://www.ISAserver.org
> 
> Hi Jim,
> I was doing some research on DNS search order for Windows Server 2000,
> and came across your article
> http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html.
> 
> My scenarios is, we have an SMTP relay server to relay external emails
> to our ISPs SMTP server through the firewall. The internal SMTP server
> has no direct Internet access or Internet DNS access, only 
> internal DNS
> access. The Internal DNS does not do DNS forwarding to the Internet. I
> was trying to open up limited Internet DNS access for the 
> internal SMTP
> server, so that the spam filter can use SPF and SURBL checks using the
> Internet DNS. I configured the DNS as following,
> 
> DNS1- Internal1
> DNS2- Internal2
> DNS3- ISP1
> DNS4- ISP2
> 
> With this, NSLOOKUP to Internet works fine. But, all other name
> resolutions to the Internet fails, such as ping, or the GFI's SPF and
> SURBL checks.
> 
> As per your article,
> Quote:
> W2K uses each DNS resolver in this fashion:
> 1.    NIC1, DNS1 
> 2.    NIC2, DNS1 
> 3.    NIC1, DNS2 
> 4.    NIC2, DNS2 
> ..and so on down the DNS list. Add the whole DNS suffix search list to
> each DNS query, (can be huge in large deployments or those with
> multi-level domain names), and you have a potential DNS disaster of
> gargantuan proportions. Another feature of W2K DNS resolver usage is
> that if one DNS server in the list of a given interface fails 
> to respond
> (not an "I don't know" answer; that's different), then that 
> whole NIC is
> blacklisted from the DNS search. So if DNS2 on NIC1 fails to 
> respond to
> a query, then DNS1 on that interface will also be ignored for a while.
> For those reasons, it's best to place all DNS resolver IPs in the
> internal ISA NIC.
> End quote:
> 
> My theory was exactly what you have written, the DNS lookup should go
> through each DNS server untill a positive response is 
> received, or until
> there are no more DNS servers in the list to query. I was not 
> sure about
> the "if one DNS server in the list of a given interface fails 
> to respond
> (not an "I don't know" answer; that's different), then that 
> whole NIC is
> blacklisted from the DNS search" part in your article though. What I
> found out is, if one DNS server in any NIC responds 
> negatively (I don't
> know reply) to a DNS query, no further DNS servers in that NIC will be
> queried for name resolution of the same query. However, if the queried
> DNS server is not responding, then the query does go the next 
> DNS server
> in the list. So, in my case, all the DNS queries were just 
> failing after
> the first internal DNS server responded negatively. 
> 
> So, my question is, is your article still accurate, or has it been
> outdated? Is there any way to force the Windows Server to 
> search all the
> DNS in the list regardless of a negative response.
> 
> 
> HTH.
> Regards,
> Raj Periyasamy
> Systems Administrator
> MCSE(Messaging), CCNA
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> raj.periyasamy@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison

1. Home
2. isalist
3. Archive
4. 11-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---