Hi Danny, What I would do it put a caching only DNS server on the ISA firewall and allow it to perform recursion. Then use that as a forwarder for the internal DNS servers. If you don't want to do that, then commission a DNS server that is not your Active Directory DNS server (dedicated, that is) and use that as a forwarder. Then create Access Rules allowing the required DNS traffic from the specific hosts requiring that access. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Danny [mailto:nocmonkey@xxxxxxxxx] > Sent: Tuesday, October 04, 2005 10:39 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Internal DNS best practices > > http://www.ISAserver.org > > On 10/4/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote: > > It depends. > > > > What do you want to do? > > Have the most efficient and secure DNS configuration as possible with > the following network setup: > > Internet > | > | > v > ISA Server - Integrated Mode > | > | > LAN + Servers > > Currently there are two AD DNS servers on the LAN, both of them have > their TCP/IP DNS client settings pointing to localhost and the ISP's > DNS server. Both of them also have their DNS server settings with no > DNS forwarder specified. > > The current ISA 2000 server is in its own forest, has no DNS > forwarder, but the external NIC has both of the ISP's DNS servers > specified, and the internal NIC only points to localhost (its own DNS > server). > > I was thinking it would be best to have all of the LAN DNS servers > forward their requests to the new ISA (2004; replacing ISA 2000) > server, which would be a secondary DNS server for AD and forward to > the ISP for external requests. > > ...D > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > -- > Internal Virus Database is out-of-date. > Checked by AVG Anti-Virus. > Version: 7.0.344 / Virus Database: 267.11.0/103 - Release > Date: 9/15/2005 > >