You can't use publishing rules for the DNS publishing on ISA 2000; you MUST use packet filters. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Administrator [mailto:Administrator@xxxxxxxxxxxxx] Sent: Wednesday, October 27, 2004 10:15 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server http://www.ISAserver.org Hi Jim There is no DMZ...the DNS server is the ISA machine itself. Have added the 4 packets filters as described at http://support.microsoft.com/default.aspx?scid=kb;en-us;291662 And I added the 2 publishing rules. Am I wrong on these steps? William -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: 27 October 2004 19:03 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server http://www.ISAserver.org You have the DNS attack filter dropping zone transfer requests, which means you have server-published these DNS servers. Look for and disable the server publishing rules that affect these DNS servers if they REALLY exist in a DMZ. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Administrator [mailto:Administrator@xxxxxxxxxxxxx] Sent: Tuesday, October 26, 2004 15:07 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server http://www.ISAserver.org Hi Mentioning DNS filters....it seems like I have some kind of issue with them. The primary zones are all 100% operational. However the secondary zones are still giving me grief. Event logs show; ISS Event ID 20009 DNS Zone Transfer from high ports detected from IP:11997 to IP:53 And Event ID 6525 Zone transfer request for secondary zone theoneinfront.com refused by master server at etc etc. Could the DNS filter be the issue? If so is there a solution? William -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: 26 October 2004 18:25 To: [ISAserver.org Discussion List] Subject: [isalist] RE: DNS server http://www.ISAserver.org Packet filters don't pass the traffic through the application filters. Thus, your DMZ-based DNS servers can't take advantage of the DNS intrusion filter ISA includes.. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.