RE: DNS Zone XFers
- From: "Paul Nuernberger" <pen@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 23 Oct 2003 15:47:07 -0500
OK, so ... assuming that the primary DNS is on the public side of ISA - you
will need to create a packet filter on the ISA server to allow the zone
transfer. There are protocols already created for "DNS Zone Transfer" &
"DNS Zone Transfer Server" (look in Policy Elements/Protocols in the ISA MMC
to see how they are set up), but these won't be available for Packet
Filters.
In the ISA MMC right-click on IP Packet Filters (in Access Policy) and
select new, then filter. Name the filter, select allow, select custom, set
it up for protocol=TCP direction=inbound local port=53 remote port=all, use
the default external interface, and restrict it to the IP address of your
current firewall.
I wouldn't leave the packet filter enabled indefinitely, but it should allow
you to get the zones transferred.
As a side note - it would be far better to set up a DNS server *behind* ISA,
and then server publish it. Running other processes on the ISA server is a
security risk (as you most likely already know).
Paul Nuernberger
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Thursday, October 23, 2003 3:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Zone XFers
http://www.ISAserver.org
Actually, I am replacing my aging firewall with ISA, My old firewall also
served as the SOA for my public domains, I wanted my ISA server to also
serve in this manner when I eventually shut off my old firewall, for now I
was trying to get my Primary Zone file transferred off my old firewall and
onto my ISA server, when I turn off my old firewall all I need to do is
change my zone file from secondary to primary on the ISA server, make sense?
so for now I can not even get the zone transferred .. ?
-----Original Message-----
From: Paul Nuernberger [mailto:pen@xxxxxxxxx]
Sent: Thursday, October 23, 2003 3:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Zone XFers
http://www.ISAserver.org
Glenn, are you using ISA as a DNS Server or just trying to get the
information to a DNS server behind ISA ??
Paul Nuernberger
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Thursday, October 23, 2003 2:41 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Zone XFers
http://www.ISAserver.org
Ok - did that and the same results, was unable to xfer zone, in addition, I
was no longer able to do NSLOOKUPs so I re-enabled the DNS Filter ... The
DNS Filter definition is for DNS lookups, do I have to create special packet
filters and apply them to the Public interface of ISA to get a successful
Zone XFer ?
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, October 23, 2003 3:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS Zone XFers
http://www.ISAserver.org
Hi Glenn,
Disable the DNS filter and try it again.
HTH,
Tom
Thomas W Shinder
<http://www.isaserver.org/shinder> www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: <http://tinyurl.com/1llp> http://tinyurl.com/1llp
-----Original Message-----
From: Glenn Maks [mailto:gmaks@xxxxxxxxx]
Sent: Thursday, October 23, 2003 2:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] DNS Zone XFers
Importance: High
http://www.ISAserver.org
To allow DNS Zone XFers onto a Microsoft ISA Server, does one have to create
Protocol Rules that include the pre-defined DNS protocols? I get a 6523
error when I try to create a secondary zone file and transfer it from my
primary DNS Server ???
Thank U
Glenn
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pen@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gmaks@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pen@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
