I take it that you have not understood my statements. What "PSS-ignorant" workaround are you failing to describe? I described the "out-of-box" behavior. If you found a supported way to change that, I'm all ears. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] Sent: Monday, November 14, 2005 13:48 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Question to Jim Harrison http://www.ISAserver.org I take it that you did not read my entire question. I have already found a workaround for the "Microsoft DNS search design", which incidentally even Microsoft technical support did not know about, until I told them how it works. I can now search all DNS servers, even if my primary DNS responds negatively. I wanted the DNS lookup for the spam filter to perform SPF and SURBL checks. I was just pointing out that your article is incorrect, at least for the 2000/2003/XP world. -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, November 14, 2005 4:38 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS Question to Jim Harrison http://www.ISAserver.org There is no benefit to searching additional DNS servers if you get an authoritative "no answer" response. Your internal SMTP server need only have the IP of the relay server. It should not be performing name lookups at all. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] Sent: Monday, November 14, 2005 13:25 To: [ISAserver.org Discussion List] Subject: [isalist] DNS Question to Jim Harrison http://www.ISAserver.org Hi Jim, I was doing some research on DNS search order for Windows Server 2000, and came across your article http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html. My scenarios is, we have an SMTP relay server to relay external emails to our ISPs SMTP server through the firewall. The internal SMTP server has no direct Internet access or Internet DNS access, only internal DNS access. The Internal DNS does not do DNS forwarding to the Internet. I was trying to open up limited Internet DNS access for the internal SMTP server, so that the spam filter can use SPF and SURBL checks using the Internet DNS. I configured the DNS as following, DNS1- Internal1 DNS2- Internal2 DNS3- ISP1 DNS4- ISP2 With this, NSLOOKUP to Internet works fine. But, all other name resolutions to the Internet fails, such as ping, or the GFI's SPF and SURBL checks. As per your article, Quote: W2K uses each DNS resolver in this fashion: 1. NIC1, DNS1 2. NIC2, DNS1 3. NIC1, DNS2 4. NIC2, DNS2 ..and so on down the DNS list. Add the whole DNS suffix search list to each DNS query, (can be huge in large deployments or those with multi-level domain names), and you have a potential DNS disaster of gargantuan proportions. Another feature of W2K DNS resolver usage is that if one DNS server in the list of a given interface fails to respond (not an "I don't know" answer; that's different), then that whole NIC is blacklisted from the DNS search. So if DNS2 on NIC1 fails to respond to a query, then DNS1 on that interface will also be ignored for a while. For those reasons, it's best to place all DNS resolver IPs in the internal ISA NIC. End quote: My theory was exactly what you have written, the DNS lookup should go through each DNS server untill a positive response is received, or until there are no more DNS servers in the list to query. I was not sure about the "if one DNS server in the list of a given interface fails to respond (not an "I don't know" answer; that's different), then that whole NIC is blacklisted from the DNS search" part in your article though. What I found out is, if one DNS server in any NIC responds negatively (I don't know reply) to a DNS query, no further DNS servers in that NIC will be queried for name resolution of the same query. However, if the queried DNS server is not responding, then the query does go the next DNS server in the list. So, in my case, all the DNS queries were just failing after the first internal DNS server responded negatively. So, my question is, is your article still accurate, or has it been outdated? Is there any way to force the Windows Server to search all the DNS in the list regardless of a negative response. HTH. Regards, Raj Periyasamy Systems Administrator MCSE(Messaging), CCNA ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: raj.periyasamy@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.