If telnet isn't working but yet you're seeing it pass through the ISA server, it seems more likely that some kind of assymetric route is in play - this can occassionally occur with bad BGP routes between peers. When you put a client on the outside of the ISA server, is it in the same external network that the ISA server is? On Thu, Jan 29, 2009 at 3:05 PM, Ball, Dan <DBall@xxxxxxxxxxx> wrote: > I did try to telnet, and that didn't work, and I did try nslookup with > manually configuring multiple servers, they all timed out. I don't think I > tried manually setting a DNS server that wasn't one of our normal ones > though, so I'll have to try that next time. > > > > As for routing, the DNS traffic makes it to the ISA server and goes out to > the Internet, I can see it in the logs, it just doesn't seem to come back. > > > > > > *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > *On Behalf Of *Jerry Young > *Sent:* Thursday, January 29, 2009 2:02 PM > *To:* isalist@xxxxxxxxxxxxx > *Subject:* [isalist] Re: Strange Behaviour in ISA2006 > > > > Dan, > > > > From the clients on the inside of the ISA Server try the following command. > > > > telnet <dns server ip address> 53 > > > > Does that work? > > > > If it does, try the following: > > > > nslookup www.yahoo.com <dns server ip address> > > > > Does that work? > > > > If not, try using nslookup interactively and see what kind of error message > you get when you attempt to set the server to the DNS server IP address. > > > > Since this is happening intermittently, it may actually be a network > routing issue as opposed to an ISA server issue. I don't know what kind of > topology you have in place on the inside of your ISA server but do take a > look at that. > > On Thu, Jan 29, 2009 at 1:53 PM, Ball, Dan <DBall@xxxxxxxxxxx> wrote: > > http://www.ISAserver.org <http://www.isaserver.org/> > ------------------------------------------------------- > > It seems to happen no matter what DNS servers I put in as forwarders, and > we cannot function without them (need to get DNS resolution somehow!). > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Crockett, Gregory > Sent: Tuesday, January 27, 2009 2:30 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Strange Behaviour in ISA2006 > > http://www.ISAserver.org <http://www.isaserver.org/> > ------------------------------------------------------- > > What happens should you kill your isp dns servers as forwarders? I have > never used our isps dns servers as forwarders. > > Sent from mobile outlook. > > -----Original Message----- > From: Ball, Dan <DBall@xxxxxxxxxxx> > Sent: Tuesday, January 27, 2009 1:12 PM > To: 'isalist@xxxxxxxxxxxxx' <isalist@xxxxxxxxxxxxx> > Subject: [isalist] Re: Strange Behaviour in ISA2006 > > Been too busy to play with this much lately, basically I've been just > waiting it out whenever it has happened, it eventually clears itself. Just > now it happened again though, and I happened to be logged into the ISA > server at the time, so I did some packet captures in case someone asked for > them. > > Otherwise, I have tested the DNS servers out pretty good, and the problem > appears to be in the ISA server. The internal servers cannot contact the > forwarders, so they dish out responses until the cache times out and then > start sending out host-not-found messages instead. While this is going on, > I can take a computer on the other side of our ISA server and connect to the > DNS servers on the forwarders list, so I know they are alive and kicking, > the DNS queries just are not passing through the ISA server. As long as the > computers know the IP address, they can continue to communicate through the > ISA server, they just cannot look up any new addresses. > > I see a bunch of alerts saying "ISA Server detected an all port scan > attack..." from the forwarders IPs addresses immediately prior to and during > the problem. I remember from awhile back that this was a common message > from DNS server, would the ISA server block those IPs for a time in response > to those scan attacks? > > > From: Ball, Dan > Sent: Thursday, November 06, 2008 12:52 PM > To: 'isalist@xxxxxxxxxxxxx' > Subject: RE: [isalist] Re: Strange Behaviour in ISA2006 > > Yes, there are two DNS servers on the internal network that the ISA server > is a part of. All workstations (including the ISA server) are pointing to > these two DNS servers, no external DNS serves are configured except as > forwarders on those two DNS servers. If any DNS request is made that is not > part of the local network, they use forwarders to resolve the address from > our ISPs DNS servers. > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jerry Young > Sent: Thursday, November 06, 2008 12:36 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Strange Behaviour in ISA2006 > > Or, you wouldn't happen to have entered DNS servers on both the internal > and external interface connections in Windows on the ISA Server would you? > > Also, how do clients in your environment resolve internet-based DNS > records? Are DNS forwarders set up on your internal DNS servers or are you > using some other method for resolving internet-based DNS records? > > Are the internal DNS servers part of the same internal network that your > ISA Server sits on or do those internal queries pass through a router? > > You can troubleshoot this by directing nslookup to use specific DNS servers > for each record test case. > > For example, if you wanted to query your internal DNS server for an > external DNS record you could use: > > nslookup www.yahoo.com<http://www.yahoo.com/> <Internal DNS Server>, > > Where <Internal DNS Server> is the IP address of your internal DNS server. > > To test against an external DNS server, you could use: > > nslookup www.yahoo.com<http://www.yahoo.com/> <External DNS Server>, > > Where <External DNS Server> is the IP address of an external DNS server > your environment uses (usually one provided by your carrier/ISP). > On Thu, Nov 6, 2008 at 12:22 PM, Jim Harrison <Jim@xxxxxxxxxxxx<mailto: > Jim@xxxxxxxxxxxx>> wrote: > http://www.ISAserver.org <http://www.isaserver.org/>< > http://www.isaserver.org/> > ------------------------------------------------------- > > The combination of forward access and server login sluggishness point > squarely at DNS. > Are you using the same DNS server to handle AD and external DNS queries? > > Jim > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> > [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] > On Behalf Of Ball, Dan > Sent: Thursday, November 06, 2008 8:30 AM > To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>' > Subject: [isalist] Strange Behaviour in ISA2006 > > http://www.ISAserver.org <http://www.isaserver.org/>< > http://www.isaserver.org/> > ------------------------------------------------------- > > I've noticed an interesting behavior of my ISA2006 box, and was wondering > if anyone would have an idea of what might be causing it... > > Periodically, browsing to websites (from our Intranet) becomes sluggish and > we experience a lot of time-outs, sometimes it clears itself, but sometimes > it gets worse. Tracing this back, it appears to be a DNS-related issue, the > names cannot be resolved correctly. I've restarted the internal DNS servers > when this happens, with little, if any improvement in performance. So I log > into the ISA server via Remote Desktop to see what is happening, the login > takes significantly longer than usual, then right about the time I get > logged in, everything works perfect again, so I cannot trace it. > > I thought it was a coincidence the first few times, but it has happened a > couple of dozen times now and it is a definite pattern. Once I log into the > ISA server via Remote Desktop, it starts working again. Any ideas? > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com<http://www.techgenix.com/> > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com<http://www.techgenix.com/> > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx> > > > > -- > Cordially yours, > Jerry G. Young II > Microsoft Certified Systems Engineer > > All mail to and from this domain is scrutinized by GFI. > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > -- > Cordially yours, > Jerry G. Young II > Microsoft Certified Systems Engineer > -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer