DNS Forwarders

[Jeff Smyrski]

Hi, this weekend we performed a scheduled down time for our servers for some
maintenance. After rebooting, it seems that my DNS is all screwed up. I
have a DNS server that is configured to use forwarders, but it just does not
seem to be working. The DNS server is also configured with the ISA Firewall
Client for regular Internet and managed protocol connectivity. The server
has one nic card and is configured for a gateway on another network
10.0.0.10/5 this is directly to the firewall interface. This was done so
that it would not be dependent on the ISA server for DNS. The ISA server
has one nic in the same network 192.168.1.15 and one on the same network as
the firewall 10.0.0.15. The two networks are connected via a router who has
two interfaces one in the main network 192.168.1.5 and another on the
private network 10.0.0.5.

From the DNS server I can ping everything on the 10.0.0.0 network and
everything on the192.168.1.0 network.

An NSLOOKUP gets me nothing from my DNS server with forwarders to
216.238.0.10 and 216.238.0.11.

However, if I change the server to be 216.238.0.10 in the nslookup, I can
resolve names no prob from the DNS server, just not from the localhost.

I have rebooted the server a couple of times but nothing seems to work.

The router is configured with no access-list or group so that all traffic to
and from is permitted between the two interfaces from any host.

I have no internet using name resolution, however I have a couple of entries
on my DNS server for local web servers, with IP addresses hardcoded. These
sites resolve with no problems. With one exception, the www entry will not
resolve on the DNS server but resolves everywhere else (even after a
ipconfig /flushdns, and by performing these steps at the ISA server).

When I enter the IP address or WWW host in my browser I get an ISA Server
authentication error 12202 error, technet dvds had nothing useful for this
(I reinstalled the SP1 for ISA).

So the issue seems to be that I can resolve a name from the DNS server if I
hard code the ISP's DNS server using NSLOOKUP or if the host is not www and
is hard coded in my local dns table. Nothing is caching for DNS nor are the
forwarders doing anything.

The only way I could get any internet name resolution to work, was to hard
code the DNS server for my ISP as the second DNS server on my ISA Server.
But that is not the correct way to make this work, and generates netlogon
errors and browser errors in the event log.

Please help.

Jeff Smyrski

 

[Deji Akomolafe]

I really can't follow your configuration, but I know you don't want a server
that has a published service (your DNS server, your web server, your mail
server, etc) to be a Firewall client. SecureNAT client is what you want.
Disable/Remove the Firewall client from the server. Reboot.

that it would not be dependent on the ISA server for DNS.

This server is your DNS server, so it has no need to "depend" on someone
else for DNS. Make sure that it is using itself for DNS resolution.
--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Jeff Smyrski]

Last night basically this is what I did, I just disabled the firewall client
and then the DNS was working correctly. I guess what I need to do I have a
way that the DNS server can use the ISA server for windows updates via the
internet, and at the same time route all DNS requests from the forwarders
directly to the firewall. My goal is that I want my DNS server to be able
to resolve DNS even if the ISA server is down for any reason. You mentioned
SecureNAT client? Is that what I would need to make this work? Or is there
a way to force the ISA Firewall Client to ignore all DNS requests (In other
words not capture the request and pass it to the ISA server?) It seems like
I need two gateways, one for DNS to go one route and one for Internet
Activity. Thanks in advance.

Jeff

 

[Deji Akomolafe]

I don't exactly understand your plans. Let me off this, though. You can't
have 2 Gateways, so scrap that. IF the ISA server is your only way out to
the internet, then if it goes down, it does not really matter whom you use
for DNS anyway, does it? SecureNAT is when you just configure a computer's
Default Gateway address to point to the ISA server's IP address. So, you are
routing ALL traffic thru the ISA server, and, since you can't have more than
one Default Gateway, you are only relying on the ISA Server. Now, for
redundancy, you could configure 2 or more ISA Servers in an Array and chain
them. So, if one goes down, you are not completely SOL.

HTH

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Jeff Smyrski]

There are a few machines that can bypass the ISA server and go directly to
the firewall even for internet activity. The DNS server is only allowed to
go out for UDP and TCP 53 traffic (DNS) directly to the firewall. The
concept is that lets say the ISA server craps out...at my workstation, I can
change my gateway to the firewall (whom the ISA server also depends on, and
go right on out.) Only my workstation is going to look for DNS resolution
from my internal DNS server, who should be able to go directly out and
resolve the name, as it is currently doing... The ISA server depends on the
firewall as its gateway as well. My goal is that with a few software
changes say at my workstation (1) Disable the ISA Firewall Client (2) Change
the gateway to point to the firewall directly. I can bypass the ISA server
in an emergency, and still get DNS resolution from my DNS server. It sounds
to me there is no way to make both work at the same time, ie, DNS going to
the default gateway (not the ISA server) when the ISA Firewall Client is
enabled, and all other ip traffic going to the ISA server itself. There
must be a way to make this work...suppose I make use of my router that is
currently bridging the two networks together 10.0.0.0 and the 192.168.1.0
networks, as in a static route for specific IP traffic...the problem as has
always been with Proxy Client or ISA Firewall Client is that it thinks it
needs to grab all traffic and pass it to the ISA/PROXY server. This proves
that point that you do not want it to do this all the time. I even tried
adding the DNS server ip addresses to my local address table so that the
traffic was not sent to isa, but that did not matter.

Jeff

 

[Deji Akomolafe]

If you are worried about the ISA going down, then just don't make your DNS
server go through it. Just put your server behind the "firewall". I assume
that the "firewall" is a different appliance, correct. seems like you are
mostly using ISA for caching, no?

If I were doing this, and I'm worried about single point of failure, I'd add
a second ISA server, configure them in an Array, remove my "firewall" and
let ISA do the Firewall/Caching/Publishing/NATting/etc for me.

Sometimes, we really can't eat our cake and have it (at the same time )

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

 

[Jeff Smyrski]

The ISA server (software firewall) sits behind the firewall (hardware). The
DNS server does in fact use the Hardware Firewall as its means to go and do
DNS updates. The problems is that the DNS server still needs to go through
the ISA server for non DNS requests, such as the virus updates and windows
updates. There should be a way to make ISA not capture the DNS packets and
route them to the ISA server, shouldn't there?

As for Caching the ISA server is doing this for the most part, however I do
use web filter software and rules for different users for destinations.
Since I have to have the firewall feature installed to control what groups
and users can use the various ports. As for our Hardware Firewall, a third
party controls this as well as monitoring. A port is either open or closed
for the ISA server, such as port 80. Which means that only the ISA server
can traverse the firewall...which means that my clients on the network must
depend on the ISA server. There is however a workstation that uses the ISA
server as its gateway to the internet, but also has rights in the Hardware
Firewall to go out directly. A simple change to this workstation's gateway
and disabling the ISA Firewall Client would allow this traffic to go okay.

As for another ISA server in an Array, it just is not worth the 3000 dollars
in software and hardware, when in reality there should be a way to make this
work...even if it is the non-standard way of doing this.

Jeff