Re: pinging wrong ip address (DNS Publishing)
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 21 Oct 2003 19:52:51 -0500
Hi Jeff,
If you don't want a split DNS, then you must be sure that internal hosts
never access resources by the same name as the external hosts.
Otherwise, you'll have internal hosts looping back through the external
interface of the firewall, which won't always work.
Another thing to consider is that you do not want these publicly
accessible and accessed DNS servers to be able to perform recursion. You
want public DNS servers to advertise only, not resolve. They advertise
for your domains only. They should not resolve for all domains,
otherwise you could be victimized by cache pollution attacks.
HTH,
Tom
www.isaserver.org/shinder
-----Original Message-----
From: Jeff Sloan [mailto:jsloan@xxxxxxxxxxxx]
Sent: Tuesday, October 21, 2003 7:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: pinging wrong ip address (DNS Publishing)
http://www.ISAserver.org
Tom,
Will this work?
I have two dns servers that are internal (win 2003 server) and are dns
published through ISA.
They are not authoritive, yet.
In preparing to make them authoritive, I try to enter their external IP
addresses (the ones on the external nic of the ISA server) into their
dns tables.
But since they disappear because the servers don't really have that IP
address, that would not make a very good authoritive set up.
But I don't want split dns, so here's what I did.
I put the external published address as a second address on the dns
servers internal nic.
Now it automatically becomes registered in the dns record along with the
internal address as well.
Will this work if I become authoritive for my domain and dns records?
Jeff Sloan
Network Administrator
Cross Oil Refining & Marketing, Inc.
484 E. 6th St.
Smackover, AR 71762
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, October 21, 2003 3:52 PM
To: ISALists
Subject: [isalist] Re: pinging wrong ip address
http://www.ISAserver.org
Hi Rick,
Unless you're using a dial up connection, don't set a DNS server on the
external interface.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Kincer, Rick [mailto:Rick_Kincer@xxxxxxxxxx]
Sent: Tuesday, October 21, 2003 2:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: pinging wrong ip address
http://www.ISAserver.org
Jim,
Thank you for the direction, I've been working on something similar. One
question though, there's always that one question.....
Lets say we have a public website "www.our_domain.com" but we want our
users to use the internal 10. IP addresses to get to the website and
bypass proxy. We set the IE clients to "Bypass proxy for local
addresses" and in the advanced we specify "10.*; our_domain.com". This
will ensure that the internal users get routed directly to the internal
server without going through ISA.
Now for the rub......If I were to set the DNS as you mentioned in the
article "Configuring DNS Settings" on that great website
www.isaserver.org, being that the internal NIC is set for the internal
DNS server and the outside NIC is set for the outside DNS server, would
it cause a problem
if:
1) The users deselected the "Bypass proxy for local addresses".
2) The users go to the ourdomain.com website.
3) The internal DNS is off line.
4) The external DNS server is used to resolve the name.
5) The users receive the external IP, which ISA sees as external, to get
to the website.
Wouldn't that just send the user through the ISA server? Possibly
causing a problem with authentication?
Don't laugh, I really have to field this question....
Thank you,
Rick
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, October 21, 2003 8:52 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: pinging wrong ip address
http://www.ISAserver.org
Stop / restart the Firewall service.
The FW and Web Proxy services maintain their own DNS caches and these
maintain entries for ~6 hours. Take a read in the client articles I left
on www.isserver.org; it's much too detailed for an email posting.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
On Tue, 21 Oct 2003 13:05:15 +0200
"Luqman Achmat" <luqman@xxxxxxxxx> wrote: http://www.ISAserver.org
Hi everyone
A service provider recently changed their ip address of a telnet server
outside of our network and since then I cannot connect/telnet to this
server.
Problem - With my MS firewall client enabled: When I do an nslookup of
the dns name, I get the correct resolution to ip address. But when I do
a ping of the dns name, it still tries to ping the OLD ip address.
Any ideas why the ping would still try and ping the old ip address with
my FWClient enabled?
Luq
p.s. With my MS firewall client disabled: When I do an nslookup of the
dns name, I get the correct resolution to ip address. When I do a ping
of the dns name, it pings the correct ip address.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rick_kincer@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
