RE: ISA not forwarding my DNS requests
- From: "Walkowiak, Matt" <Matt.Walkowiak@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 6 May 2002 17:39:15 -0500
I agree that it has to do with ISA. The issue here is simply the ISA
server is not allowing UDP port 53 packets to pass thru it. The reason
the work around that was suggested works (install DNS on ISA server) is
because your internal DNS talks to the inside of the ISA server, which
then talks to the DNS server on the local box (that's allowed) then your
ISA server is able to talk to an external DNS server (I assume you have
a filter turned on having to do with port 53) and then the reverse of
all that works, too.
So why doesn't ISA forward UDP port 53? I do not really believe there
is a bug in ISA server pertaining to this topic. I am going to assume
that it also doesn't work to do an NSLOOKUP from the internal DNS
server. What kind of rules do you have set for allowing your internal
users out to the Internet? If you have "All protocols:Anywhere" turned
on, then any computer on the inside should be able to connect to any
computer in the world on any port. To try this out, goto the DNS
server. Download Putty (search for putty in google.com) and use it to
telnet to various computers on various ports. Try telneting to
styx.darbonne.com on port 3000, or 6789. If that works, that means your
DNS server can do two things; it can resolve a name using DNS and it can
get thru the ISA server on ports 3000 and 6789. If it doesn't work, try
using just the IP address instead of the name:
Styx.darbonne.com = 66.12.199.150
If THAT doesn't work, then your ISA server is not allowing those two
ports thru it. (as a further test, place a computer OUTSIDE the ISA
server and see if the above tests work. You can use this computer as a
control group.)
Here is a question: Are you using the proxy function of ISA server? If
your ISA server is a proxy server and NOT just a firewall, then it WOULD
make sense there is a bug in ISA server. Proxy-ing is a LOT harder to
do than simple port forwarding and packet filtering.
I guess that the point I am trying to make is, in order to allow a
packet thru the ISA server, you need to tell the ISA server to allow the
packet thru. The only way around this is if you have a catch-all rule
(All:Any) that just lets things happen. Try the above tests and let me
know your results. Also, let me know what you CAN and CANNOT do (can
you ping the Internet by name and IP number?....)
Matt
-----Original Message-----
From: karzon [mailto:creid@xxxxxxxxxxxxxxx]
Sent: Monday, May 06, 2002 4:27 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA not forwarding my DNS requests
http://www.ISAserver.org
The DNS server is set as Authoritative.
The problem lies with isa. If I change the default gateway of my DNS
server to point to a windows2k NAT server, it works fine.
I must be missing something in the ISA configuration.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
matt.walkowiak@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
