RE: DNS issue

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 30 Mar 2004 08:42:55 -0600

Hi John,

Is your DNS server working as both an Advertiser for your hosted domains
AND resolver for your internal network? If the DNS server on your
internal network is acting as a resolver, it needs access to all
*sites*, but no all protocols. In fact, if the DNS server is acting only
as an advertiser, no Protocol Rule is required, because a dynamic packet
filter (dynamic Protocol Rule) is created to allow the response.

So next step -- is your DNS server acting as an advertiser? Resolver?
Both? 

Safety tip: Do NOT allow you public DNS server to act as a resolver,
because that can open you up to various DNS poisoning exploits.

What do you see in the firewall log when you have no protocol rule that
allows the DNS server outbound access? (check only the entries related
to the inbound DNS query from an external host).

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder
ISA 2004 Beta - Get it now!
http://www.microsoft.com/isaserver/beta/default.asp
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: jlyon [mailto:jlyon@xxxxxxxxxxxxx] 
Sent: Tuesday, March 30, 2004 9:07 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: DNS issue


http://www.ISAserver.org

I think I have mis lead you.

I have a SERVER publishing rule for the DNS server, just like on my
win2k
machine

I have PROTOCOL rules for DNS query/lookup/xfer just like on my win2k
machine.

This is all that is required to make it work, but on win2k3 machine the
only way an internet DNS server can query my DNS server (happens to sit
in
the lat) is if I add yet another PROTOCOL rule that allwos all protocols
TO my DNS server's via client addresss set I created just for it only.

Does that sound right?
Sorry for all the confusion.

-John

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue
• » RE: DNS issue

1. Home
2. isalist
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---