Re: Jim Harrison's DNS FOR ISA SERVER questions

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 20 Apr 2002 18:37:47 -0700

Good questions, all.
Answers inline..

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "TomK" <TKasmir@xxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Saturday, April 20, 2002 4:32 PM
Subject: [isalist] Jim Harrison's DNS FOR ISA SERVER questions


http://www.ISAserver.org


I'm reading Jim Harrison's DNS FOR ISA SERVER piece from the site's
Learning Zone and I have two questions.

1. The Separate Internal & External DNS graphic depicts a client with
DNS1=192.168.0.3 & DNS2=123.123.123.124. This makes "use of separate
internal and external DNS resolvers".
My questions is - In a W2K environment could this prove troublesome if an
internal AD lookup fails and is subsequently attempted on the outside? Not
that the outside lookup could ever succeed, but that future queries might
rely on the DNS2 address first?

-- That depends on the (non) response from the primary DNS server.
    If the pri DNS responds with "not found", then the DNS search stops
    If the pri DNS completely fails to respond, then the client will go
seeking answers elsewhere.
-- If you're truly concerned about AD-DNS lookup failures, you may want to
consider a second AD/DNS server.

2. In the next graphic, INDEPENDENT INTERNAL DNS, what mechanism "forces"
INT DNS01 to use ISA for external lookups? Is Forwarding at work here or
is it the server's Gateway address or is it a Secure Nat Client?
And along those lines once the ISA Server tries to resolve an external
name is it Forwarding as well (because it's Preferred DNS Servers are on
the Internal network)?

-- That's an exercise for the student (seriously).
    The internal DNS can be either a secureNAT client or it can simply use
ISA as the forwarder
    If you wish to use forwarding at the internal server, you have two
options:
    1. make it a secureNAT client and put the IP of an Internet-based DNS
server in the "Use Forwarders" dialog
    2. install DNS on the ISA and use the ISA internal IP as the DNS
forwarder
    If you want the internal DNS to make its own DNS lookups (called
recursive), then you have to make it a secureNAT client
--either way, you'll have to allow the proper protocols...

Thank you -- Tom Kasmir

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')




Other related posts: