Hi Jeff, If you don't want a split DNS, then you must be sure that internal hosts never access resources by the same name as the external hosts. Otherwise, you'll have internal hosts looping back through the external interface of the firewall, which won't always work. Another thing to consider is that you do not want these publicly accessible and accessed DNS servers to be able to perform recursion. You want public DNS servers to advertise only, not resolve. They advertise for your domains only. They should not resolve for all domains, otherwise you could be victimized by cache pollution attacks. HTH, Tom www.isaserver.org/shinder -----Original Message----- From: Jeff Sloan [mailto:jsloan@xxxxxxxxxxxx] Sent: Tuesday, October 21, 2003 7:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: pinging wrong ip address (DNS Publishing) http://www.ISAserver.org Tom, Will this work? I have two dns servers that are internal (win 2003 server) and are dns published through ISA. They are not authoritive, yet. In preparing to make them authoritive, I try to enter their external IP addresses (the ones on the external nic of the ISA server) into their dns tables. But since they disappear because the servers don't really have that IP address, that would not make a very good authoritive set up. But I don't want split dns, so here's what I did. I put the external published address as a second address on the dns servers internal nic. Now it automatically becomes registered in the dns record along with the internal address as well. Will this work if I become authoritive for my domain and dns records? Jeff Sloan Network Administrator Cross Oil Refining & Marketing, Inc. 484 E. 6th St. Smackover, AR 71762 -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, October 21, 2003 3:52 PM To: ISALists Subject: [isalist] Re: pinging wrong ip address http://www.ISAserver.org Hi Rick, Unless you're using a dial up connection, don't set a DNS server on the external interface. HTH, Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx] Sent: Tuesday, October 21, 2003 2:07 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: pinging wrong ip address http://www.ISAserver.org Jim, Thank you for the direction, I've been working on something similar. One question though, there's always that one question..... Lets say we have a public website "www.our_domain.com" but we want our users to use the internal 10. IP addresses to get to the website and bypass proxy. We set the IE clients to "Bypass proxy for local addresses" and in the advanced we specify "10.*; our_domain.com". This will ensure that the internal users get routed directly to the internal server without going through ISA. Now for the rub......If I were to set the DNS as you mentioned in the article "Configuring DNS Settings" on that great website www.isaserver.org, being that the internal NIC is set for the internal DNS server and the outside NIC is set for the outside DNS server, would it cause a problem if: 1) The users deselected the "Bypass proxy for local addresses". 2) The users go to the ourdomain.com website. 3) The internal DNS is off line. 4) The external DNS server is used to resolve the name. 5) The users receive the external IP, which ISA sees as external, to get to the website. Wouldn't that just send the user through the ISA server? Possibly causing a problem with authentication? Don't laugh, I really have to field this question.... Thank you, Rick -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, October 21, 2003 8:52 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: pinging wrong ip address http://www.ISAserver.org Stop / restart the Firewall service. The FW and Web Proxy services maintain their own DNS caches and these maintain entries for ~6 hours. Take a read in the client articles I left on www.isserver.org; it's much too detailed for an email posting. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Tue, 21 Oct 2003 13:05:15 +0200 "Luqman Achmat" <luqman@xxxxxxxxx> wrote: http://www.ISAserver.org Hi everyone A service provider recently changed their ip address of a telnet server outside of our network and since then I cannot connect/telnet to this server. Problem - With my MS firewall client enabled: When I do an nslookup of the dns name, I get the correct resolution to ip address. But when I do a ping of the dns name, it still tries to ping the OLD ip address. Any ideas why the ping would still try and ping the old ip address with my FWClient enabled? Luq p.s. With my MS firewall client disabled: When I do an nslookup of the dns name, I get the correct resolution to ip address. When I do a ping of the dns name, it pings the correct ip address. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rick_kincer@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')