Hi Farshad, The ISA Server maintains a state table for UDP communications. Since UDP only provides source and destination IP and Port, it doesn't have lot of information regarding the state of the communication. The ISA Server therefore sets timeout values in its state table. If the responses come back after the entry in the state table has expired, the ISA Server thinks its an attack. A lot of people have the same issue, so unless your evaluation of the packet filter log shows you have a real problem, you can safely ignore the alert. HTH, Tom www.isaserver.org/shinder -----Original Message----- From: Farshad Farooji [mailto:farshad@xxxxxxxxxxxxxx] Sent: Tuesday, January 07, 2003 10:29 AM To: [ISAserver.org Discussion List] Subject: [isalist] DNS qureries cause ISA alerts http://www.ISAserver.org Hi everyone; I posted this message yesterday, unfortuantely got no answers. since it is getting to be a serious problem for me I am doing it again. I have been receiving ISA alerts as all port scans and so on very frequently and it is very anoying. now I have found out that these alerts are caused by DNS queries thru ISA. my clients are mainly webproxy and securenat. is there anything wrong with my settings on the ISA? thanks for the help, Farshad ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')