I also seem to have a dnslookup packet filter setup for the external ip and 'all remote computers'. Not sure why that is there unless it was something I was doing early on trying to get things working also... This would only apply if I was using dns on the ISA server right? -----Original Message----- From: Bryan Andrews Sent: Wednesday, October 10, 2001 12:25 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Wierd DNS stuff... http://www.ISAserver.org I agree totally about AD which is why I do not (I thought) let outside requests come in to it (and which is also why I do not run dns on my isa machine). But I think I found my problem... :( - somehow the 'all ip traffic' protocol rule I had set up to originally get my ISA network going was on... and I assume this means that all dns requests that were hitting my external ip were being answered by my internal dns?? Is that possible without publishing? Ouch. We have been pretty good about all the patches and SPs for all our servers, but not being an ISA guru... what might have I exposed by doing this? Everything? Without actually publishing servers what could answer to outside requests from the inside of my network? Any thoughts are appreciated. -----Original Message----- From: Mark Strangways [mailto:strangconst@xxxxxxxx] Sent: Tuesday, October 09, 2001 11:21 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Wierd DNS stuff... http://www.ISAserver.org Well, It looks like ISA Blocked the packet, it did not get in. But it didn't get in because ISA could not resolve the domain name successfully. If you set up protocol rules to allow DNS query only then incoming DNS attacks will get kicked by ISA. I just really don't like my AD to get to far out of my view (so to speak). regards, Mark ----- Original Message ----- From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, October 09, 2001 11:21 PM Subject: [isalist] Re: Wierd DNS stuff... http://www.ISAserver.org I'm a little confused I guess... the only requests to my dns should be internal (from my 10. network to other 10.s and resolving out). I don't understand how 209.x.x.x would be trying to resolve with my dns... Especially because I am behind ISA... ahhhh unless I have that protocol open... and someone is querying thru my firewall maybe? How do I make sure requests only go out? Bryan Andrews ~ Trend Influence 404.523.8649 Office ~ 404.597.2316 Cell -----Original Message----- From: Mark Strangways [mailto:strangconst@xxxxxxxx] Sent: Tuesday, October 09, 2001 10:51 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Wierd DNS stuff... http://www.ISAserver.org Well, it seems that your dns can't resolve the domain name inside a request from 209.xxx.xxx.xxx whatever you had quoted), so therefore your ad machine is not resolving accurately enough. There seems to be some security advantages to setting up DNS as per the prev. post. There are a few articles in "The Learning Zone" which you may want to view. In your set-up does AD forward unresolved requests to your ISP? Or how does it resolve these ? I would rather my very important AD zones be protected from the external by forwarding them to a controllable know server, where I control the filters and other elements. Kinda what I feel a firewall is for ... take the abuse and hacks from the net, thereby protecting other machines. I suppose this is just my opinion, but my DNS work 100 % of the time . :-) Regards, Mark ----- Original Message ----- From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, October 09, 2001 10:51 PM Subject: [isalist] Re: Wierd DNS stuff... http://www.ISAserver.org Why would I want to put a dns on there? I'd rather keep everything internal if I can... incoming dns resolves to external dns servers. My internal dns only does resolving and internal requests. Thanks! -----Original Message----- From: Mark Strangways [mailto:strangconst@xxxxxxxx] Sent: Tuesday, October 09, 2001 10:19 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Wierd DNS stuff... http://www.ISAserver.org Can you set a DNS on your ISA machine, then forward from the AD machines to the ISA DNS server for any unresolved adds. Set up your ISA DNS server to forward it's request's to your ISP's resolvers. You should find that offers better security and performance. Regards, Mark ----- Original Message ----- From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, October 09, 2001 10:24 PM Subject: [isalist] Wierd DNS stuff... http://www.ISAserver.org Hello All, I have been having dns trouble intermittently where emails are bouncing back (exchange2000) and I clear my dns caches and everything is ok. Quick note about my setup: 1. ISA server w/ 2 nics, no DNS, no IIS, no etc 2. internal AD, DNS (AD integrated), E2K server 3. internal AD, DNS (AD integrated) 4. other boxes that are not important. In troubleshooting I have noticed that I have repeated entries in my dns for: Event Type: Warning Event Source: DNS Event Category: None Event ID: 5504 Date: 10/2/2001 Time: 6:28:04 PM User: N/A Computer: TATL0S03 Description: The DNS server encountered an invalid domain name in a packet from 209.235.102.18. The packet is rejected. AND Event Type: Warning Event Source: DNS Event Category: None Event ID: 5504 Date: 10/2/2001 Time: 6:28:04 PM User: N/A Computer: TATL0S03 Description: The DNS server encountered an invalid domain name in a packet from 209.235.102.17. The packet is rejected. I have no idea why this is happening. I did digs and do not recognize this address, and whats more, I don't really understand how dns would be talking to this ip thru the firewall... often and repeatedly. Has anyone else seen this before is this something I should worry about? ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: strangconst@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bandrews@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: strangconst@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bandrews@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: strangconst@xxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bandrews@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bandrews@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')