Hi John, Is your DNS server working as both an Advertiser for your hosted domains AND resolver for your internal network? If the DNS server on your internal network is acting as a resolver, it needs access to all *sites*, but no all protocols. In fact, if the DNS server is acting only as an advertiser, no Protocol Rule is required, because a dynamic packet filter (dynamic Protocol Rule) is created to allow the response. So next step -- is your DNS server acting as an advertiser? Resolver? Both? Safety tip: Do NOT allow you public DNS server to act as a resolver, because that can open you up to various DNS poisoning exploits. What do you see in the firewall log when you have no protocol rule that allows the DNS server outbound access? (check only the entries related to the inbound DNS query from an external host). Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA 2004 Beta - Get it now! http://www.microsoft.com/isaserver/beta/default.asp ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: jlyon [mailto:jlyon@xxxxxxxxxxxxx] Sent: Tuesday, March 30, 2004 9:07 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS issue http://www.ISAserver.org I think I have mis lead you. I have a SERVER publishing rule for the DNS server, just like on my win2k machine I have PROTOCOL rules for DNS query/lookup/xfer just like on my win2k machine. This is all that is required to make it work, but on win2k3 machine the only way an internet DNS server can query my DNS server (happens to sit in the lat) is if I add yet another PROTOCOL rule that allwos all protocols TO my DNS server's via client addresss set I created just for it only. Does that sound right? Sorry for all the confusion. -John ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')