Re: Wierd DNS stuff...

  • From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 10 Oct 2001 00:28:46 -0400

I also seem to have a dnslookup packet filter setup for the external ip
and 'all remote computers'. Not sure why that is there unless it was
something I was doing early on trying to get things working also... 

This would only apply if I was using dns on the ISA server right?


-----Original Message-----
From: Bryan Andrews 
Sent: Wednesday, October 10, 2001 12:25 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Wierd DNS stuff...

http://www.ISAserver.org



I agree totally about AD which is why I do not (I thought) let outside
requests come in to it (and which is also why I do not run dns on my isa
machine).

But I think I found my problem... :( - somehow the 'all ip traffic'
protocol rule I had set up to originally get my ISA network going was
on... and I assume this means that all dns requests that were hitting my
external ip were being answered by my internal dns?? Is that possible
without publishing?

Ouch.

We have been pretty good about all the patches and SPs  for all our
servers, but not being an ISA guru... what might have I exposed by doing
this? Everything? Without actually publishing servers what could answer
to outside requests from the inside of my network?

Any thoughts are appreciated.


-----Original Message-----
From: Mark Strangways [mailto:strangconst@xxxxxxxx]
Sent: Tuesday, October 09, 2001 11:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Wierd DNS stuff...

http://www.ISAserver.org


Well, It looks like ISA Blocked the packet, it did not get in. But it
didn't get in because ISA
could not resolve the domain name successfully.

If you set up protocol rules to allow DNS query only then incoming DNS
attacks will get kicked by
ISA.

I just really don't like my AD to get to far out of my view (so to
speak).

regards,

Mark
----- Original Message -----
From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, October 09, 2001 11:21 PM
Subject: [isalist] Re: Wierd DNS stuff...


http://www.ISAserver.org


I'm a little confused I guess... the only requests to my dns should be
internal (from my 10. network to other 10.s and resolving out). I don't
understand how 209.x.x.x would be trying to resolve with my dns...

Especially because I am behind ISA...  ahhhh unless I have that protocol
open... and someone is querying thru my firewall maybe?

How do I make sure requests only go out?

Bryan Andrews ~ Trend Influence
404.523.8649 Office ~ 404.597.2316 Cell

-----Original Message-----
From: Mark Strangways [mailto:strangconst@xxxxxxxx]
Sent: Tuesday, October 09, 2001 10:51 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Wierd DNS stuff...

http://www.ISAserver.org


Well, it seems that your dns can't resolve the domain name inside a
request from 209.xxx.xxx.xxx
 whatever you had quoted), so therefore your ad machine is not resolving
accurately enough.

There seems to be some security advantages to setting up DNS as per the
prev. post. There are a few
articles in "The Learning Zone" which you may want to view.

In your set-up does AD forward unresolved requests to your ISP? Or how
does it resolve these ?
I would rather my very important AD zones be protected from the external
by forwarding them to a
controllable know server, where I control the filters and other
elements. Kinda what I feel a
firewall is for ... take the abuse and hacks from the net, thereby
protecting other machines.

I suppose this is just my opinion, but my DNS work 100 % of the time .
:-)

Regards,

Mark
----- Original Message -----
From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, October 09, 2001 10:51 PM
Subject: [isalist] Re: Wierd DNS stuff...


http://www.ISAserver.org


Why would I want to put a dns on there? I'd rather keep everything
internal if I can... incoming dns resolves to external dns servers. My
internal dns only does resolving and internal requests.

Thanks!


-----Original Message-----
From: Mark Strangways [mailto:strangconst@xxxxxxxx]
Sent: Tuesday, October 09, 2001 10:19 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Wierd DNS stuff...

http://www.ISAserver.org


Can you set a DNS on your ISA machine, then forward from the AD machines
to the ISA DNS server for
any unresolved adds.
Set up your ISA DNS server to forward it's request's to your ISP's
resolvers.

You should find that offers better security and performance.

Regards,
Mark

----- Original Message -----
From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, October 09, 2001 10:24 PM
Subject: [isalist] Wierd DNS stuff...


http://www.ISAserver.org


Hello All,

I have been having dns trouble intermittently where emails are bouncing
back (exchange2000) and I clear my dns caches and everything is ok.

Quick note about my setup:

1. ISA server w/ 2 nics, no DNS, no IIS, no etc
2. internal AD, DNS (AD integrated), E2K server
3. internal AD, DNS (AD integrated)
4. other boxes that are not important.

In troubleshooting I have noticed that I have repeated entries in my dns
for:

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 10/2/2001
Time: 6:28:04 PM
User: N/A
Computer: TATL0S03
Description:
The DNS server encountered an invalid domain name in a packet from
209.235.102.18.  The packet is rejected.


AND

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 10/2/2001
Time: 6:28:04 PM
User: N/A
Computer: TATL0S03
Description:
The DNS server encountered an invalid domain name in a packet from
209.235.102.17.  The packet is rejected.

I have no idea why this is happening. I did digs and do not recognize
this address, and whats more, I don't really understand how dns would be
talking to this ip thru the firewall... often and repeatedly.

Has anyone else seen this before is this something I should worry about?

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
strangconst@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
strangconst@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
strangconst@xxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 10-2001