Yes, you can, but what's to be gained? Leave the App filter in place; it'll alert you if/when the remote DNS servers get whacky on you (technical term; requires years of study). Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/authors/harrison/ Read the books! ----- Original Message ----- From: "Cristian Bratu" <cristian.bratu@xxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, June 27, 2002 10:37 PM Subject: [isalist] Re: DNS intrusion filter http://www.ISAserver.org Thanks Jim, If I understand, any application filter applies after packet filtering only on the allowed traffic. And if I configure correctly the packet filters to allow DNS ZT only from my external DNS servers the application filter can be disabled. Is it correct? Cristian Bratu MCSE, CCNA ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')