Packet filters don't pass the traffic through the application filters. Thus, your DMZ-based DNS servers can't take advantage of the DNS intrusion filter ISA includes.. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- ________________________________________ From: Administrator [mailto:Administrator@xxxxxxxxxxxxx] Sent: Monday, October 25, 2004 10:50 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server http://www.ISAserver.org Hi Steve I understand that they should be in the DMZ...but for the next few months and a tight budget this cannot be done. I know this question is stupid but I will ask anyway.....What risk is there in having the DNS NOT in the DMZ....am I at risk via port 53?? William ________________________________________ From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: 25 October 2004 14:30 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server http://www.ISAserver.org they should really be in a dmz S ________________________________________ From: Administrator [mailto:Administrator@xxxxxxxxxxxxx] Sent: Monday, October 25, 2004 2:44 AM To: ISA Mailing List Subject: [isalist] RE: DNS server http://www.ISAserver.org Hi Gr8...so If I got this correctly TCP In local port 53 ...remote any TCP Out local any....remote 53 UDP Receive send local 53 remote any UDP Send Receive local any remote 53.............is this correct? William PS thanks for the help but I am fairly new to public dns servers behind a firewall ________________________________________ From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: 24 October 2004 23:44 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server http://www.ISAserver.org you'll need incoming / outgoing dns query packet filters, on each ISA Server as well as publishing them. S ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.