RE: DNS Question to Jim Harrison

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 14 Nov 2005 13:59:38 -0800

I take it that you have not understood my statements.
What "PSS-ignorant" workaround are you failing to describe? 

I described the "out-of-box" behavior.
If you found a supported way to change that, I'm all ears.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] 
Sent: Monday, November 14, 2005 13:48
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Question to Jim Harrison

http://www.ISAserver.org


I take it that you did not read my entire question.

I have already found a workaround for the "Microsoft DNS search design", which 
incidentally even Microsoft technical support did not know about, until I told 
them how it works. I can now search all DNS servers, even if my primary DNS 
responds negatively. I wanted the DNS lookup for the spam filter to perform SPF 
and SURBL checks. I was just pointing out that your article is incorrect, at 
least for the 2000/2003/XP world.








-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, November 14, 2005 4:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Question to Jim Harrison

http://www.ISAserver.org

There is no benefit to searching additional DNS servers if you get an 
authoritative "no answer" response. 
Your internal SMTP server need only have the IP of the relay server.
It should not be performing name lookups at all.


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx]
Sent: Monday, November 14, 2005 13:25
To: [ISAserver.org Discussion List]
Subject: [isalist] DNS Question to Jim Harrison

http://www.ISAserver.org

Hi Jim,
I was doing some research on DNS search order for Windows Server 2000, and came 
across your article http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html.

My scenarios is, we have an SMTP relay server to relay external emails to our 
ISPs SMTP server through the firewall. The internal SMTP server has no direct 
Internet access or Internet DNS access, only internal DNS access. The Internal 
DNS does not do DNS forwarding to the Internet. I was trying to open up limited 
Internet DNS access for the internal SMTP server, so that the spam filter can 
use SPF and SURBL checks using the Internet DNS. I configured the DNS as 
following,

DNS1- Internal1
DNS2- Internal2
DNS3- ISP1
DNS4- ISP2

With this, NSLOOKUP to Internet works fine. But, all other name resolutions to 
the Internet fails, such as ping, or the GFI's SPF and SURBL checks.

As per your article,
Quote:
W2K uses each DNS resolver in this fashion:
1.      NIC1, DNS1 
2.      NIC2, DNS1 
3.      NIC1, DNS2 
4.      NIC2, DNS2 
..and so on down the DNS list. Add the whole DNS suffix search list to each DNS 
query, (can be huge in large deployments or those with multi-level domain 
names), and you have a potential DNS disaster of gargantuan proportions. 
Another feature of W2K DNS resolver usage is that if one DNS server in the list 
of a given interface fails to respond (not an "I don't know" answer; that's 
different), then that whole NIC is blacklisted from the DNS search. So if DNS2 
on NIC1 fails to respond to a query, then DNS1 on that interface will also be 
ignored for a while.
For those reasons, it's best to place all DNS resolver IPs in the internal ISA 
NIC.
End quote:

My theory was exactly what you have written, the DNS lookup should go through 
each DNS server untill a positive response is received, or until there are no 
more DNS servers in the list to query. I was not sure about the "if one DNS 
server in the list of a given interface fails to respond (not an "I don't know" 
answer; that's different), then that whole NIC is blacklisted from the DNS 
search" part in your article though. What I found out is, if one DNS server in 
any NIC responds negatively (I don't know reply) to a DNS query, no further DNS 
servers in that NIC will be queried for name resolution of the same query. 
However, if the queried DNS server is not responding, then the query does go 
the next DNS server in the list. So, in my case, all the DNS queries were just 
failing after the first internal DNS server responded negatively. 

So, my question is, is your article still accurate, or has it been outdated? Is 
there any way to force the Windows Server to search all the DNS in the list 
regardless of a negative response.


HTH.
Regards,
Raj Periyasamy
Systems Administrator
MCSE(Messaging), CCNA


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
raj.periyasamy@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison
• » RE: DNS Question to Jim Harrison

1. Home
2. isalist
3. Archive
4. 11-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---