DNS timeouts?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have ISA 2004 working perfectly except that occasionally the client will
get a message back that the Gateway could not find an authoritative DNS
server for the domain....

The client is querying an internal DNS and then it forwards to the cahcing
server on ISA. everything is local to the client so the speed should be
there....I was thinking of increasing the DNS server forwarder timeout but it
is currently set to 5 seconds which should be enough??

When I dont use ISA, the response is pretty fast so I'm not sure if this is
the right move.

Any ideas?
 
Ted said:
I have ISA 2004 working perfectly except that occasionally the client will
get a message back that the Gateway could not find an authoritative DNS
server for the domain....

The client is querying an internal DNS and then it forwards to the cahcing
server on ISA. everything is local to the client so the speed should be
there....I was thinking of increasing the DNS server forwarder timeout but it
is currently set to 5 seconds which should be enough??
Click to expand...

You can certainly increase the timeout, but eventually the
client (or any querying DNS server) will itself timeout.

Confirm:

Clients point STRICTLY to internal DNS servers ONLY.
Internal DNS servers point to ISA as Forwarder
(Optionally: internal servers choose "Do not use recursion"*)
ISA does it's own physical recursion from the Internet root down
OR it forwards to a (reliable, large) ISP? **

* Although, I cannot precisely explain why "Do not use recursion"
might help, doing the recursion AND forwarding is seldom
helpful itself IF the forwarder is reliable, and may not even be
possible due to firewalls. Disabling the internal server recursion
(ONLY) on the Forwarders tab has been (unconfirmed) reported
to help this specific issue.

If the ISP is large (big caches, near the backbone) and RELIABLE,
then most of the time a second forward from the first forwarder
at the gateway/firewall ISP will actually help.

When I dont use ISA, the response is pretty fast so I'm not sure if this is
the right move.
Click to expand...
 
Hi Ted

I normally just have my internal DNS server forward directly to the ISP. On
the ISA Server, I point the internal NIC to the internal DNS server and
don't bother setting a DNS server on the external NIC. In this way, all
requests go via the internal DNS server and then get forwarded to the ISP
for external resolution.

What was your motivation for caching on the ISA server?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Herb Martin said:
You can certainly increase the timeout, but eventually the
client (or any querying DNS server) will itself timeout.

Confirm:

Clients point STRICTLY to internal DNS servers ONLY.
correct

Internal DNS servers point to ISA as Forwarder
correct

(Optionally: internal servers choose "Do not use recursion"*)
Click to expand...

recursion is disabled for 'this domain'
ISA does it's own physical recursion from the Internet root down
OR it forwards to a (reliable, large) ISP? **
Click to expand...

ISA forwards to the ISP (Bell Canada T1)
* Although, I cannot precisely explain why "Do not use recursion"
might help, doing the recursion AND forwarding is seldom
helpful itself IF the forwarder is reliable, and may not even be
possible due to firewalls. Disabling the internal server recursion
(ONLY) on the Forwarders tab has been (unconfirmed) reported
to help this specific issue.
Click to expand...

Recusrion is disabled here but 'This domain' is only the user and computer
domain. There are multiple DNS suffix's and resources in each domain.
If the ISP is large (big caches, near the backbone) and RELIABLE,
then most of the time a second forward from the first forwarder
at the gateway/firewall ISP will actually help.
Click to expand...

This is exactly what is in place now....
 
Ted said:
recursion is disabled for 'this domain'
Click to expand...

Recursion must NOT be disabled within the Advanced
tab of the Server (there is says "Disable Recursion")
since that disables forwarding also -- it does not sound
like that is your problem but being explicit never hurts.

"Do not use recursion" on the Server Forwarder tab IS
APPROPRIATE in most cases.

Neither is related to any domain or zone but are both
SERVER settings.
ISA forwards to the ISP (Bell Canada T1)


Recusrion is disabled here but 'This domain' is only the user and computer
domain. There are multiple DNS suffix's and resources in each domain.
Click to expand...

Disabling recursion is a SERVER wide setting.
Unrelated to any zone/domain individually.

May we assume you handle those other zones and
domains by holding cross secondaries to them or
at least to there parent?

Client suffixes are not part of the DNS server setup
and are merely multiple choices the client may ATTEMPT
before giving up and saying "host not found".

Such might cause APPLICATION timeouts but will not
affect the timeout of an individual request made explicitly
(e.g., through NSLookup or by using a FQDN -- note, an
FQDN is technically only one that TERMINATES in a DOT.)
This is exactly what is in place now....
Click to expand...

You might try nslookup individually to everyone in the
chain.

See if this also agrees that ISA/DNS is the culprit.

Are you actually running a caching only DNS on the ISA
box or using some setting of ISA (I believe it has one like
the NAT/ICS do.)
 
my understanding was that having a caching only DNS server as the only
internet facing DNS was more secure. There are no zones except stub zones for
the internal DNS, no zone transfers and only one, inherently more secure,
server facing the net.

Mark Renoden said:
Hi Ted

I normally just have my internal DNS server forward directly to the ISP. On
the ISA Server, I point the internal NIC to the internal DNS server and
don't bother setting a DNS server on the external NIC. In this way, all
requests go via the internal DNS server and then get forwarded to the ISP
for external resolution.

What was your motivation for caching on the ISA server?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Ted said:
I have ISA 2004 working perfectly except that occasionally the client will
get a message back that the Gateway could not find an authoritative DNS
server for the domain....

The client is querying an internal DNS and then it forwards to the cahcing
server on ISA. everything is local to the client so the speed should be
there....I was thinking of increasing the DNS server forwarder timeout but
it
is currently set to 5 seconds which should be enough??

When I dont use ISA, the response is pretty fast so I'm not sure if this
is
the right move.

Any ideas?
Click to expand...
Click to expand...
 
Mark Renoden said:
Hi Ted

I normally just have my internal DNS server forward directly to the ISP. On
the ISA Server, I point the internal NIC to the internal DNS server and
don't bother setting a DNS server on the external NIC.
Click to expand...

This is problematic if the ISA machine is a DOMAIN
machine (which is must be for AD integration).

In that case, not only should the internal NIC be set to
use the internal DNS -- it is now an INTERNAL client and
needs this -- but the EXTERNAL NIC must be set that
way also.

Frequently the external NIC is DHCP assigned which complicates
this, but if you type in a DNS Server setting on the ISA CLIENT
NIC it will override the one from the ISP.

Then you place the ISP in the ISA server setting for DNS or
you run a REAL DNS server (caching only, no zones needed)
on that machine.
In this way, all
requests go via the internal DNS server and then get forwarded to the ISP
for external resolution.
Click to expand...

That works (technically) but means that internal DNS servers
which are frequently DCs must pass the firewall which not
only complicates firewall definitions but is a security risk.

Sensitive internal machines should not generally visit the
internet.
What was your motivation for caching on the ISA server?
Click to expand...

Perhaps he read the Microsoft sale literature on the product.
<GRIN>



--
Herb Martin

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Ted said:
I have ISA 2004 working perfectly except that occasionally the client will
get a message back that the Gateway could not find an authoritative DNS
server for the domain....

The client is querying an internal DNS and then it forwards to the cahcing
server on ISA. everything is local to the client so the speed should be
there....I was thinking of increasing the DNS server forwarder timeout but
it
is currently set to 5 seconds which should be enough??

When I dont use ISA, the response is pretty fast so I'm not sure if this
is
the right move.

Any ideas?
Click to expand...
Click to expand...
 
Ted said:
my understanding was that having a caching only DNS server as the only
internet facing DNS was more secure. There are no zones except stub zones for
the internal DNS, no zone transfers and only one, inherently more secure,
server facing the net.
Click to expand...

You are correct. It also keeps DCs/DNS servers
off the Internet and behind the firewall.

--
Herb Martin


Ted said:
my understanding was that having a caching only DNS server as the only
internet facing DNS was more secure. There are no zones except stub zones for
the internal DNS, no zone transfers and only one, inherently more secure,
server facing the net.

Mark Renoden said:
Hi Ted

I normally just have my internal DNS server forward directly to the ISP. On
the ISA Server, I point the internal NIC to the internal DNS server and
don't bother setting a DNS server on the external NIC. In this way, all
requests go via the internal DNS server and then get forwarded to the ISP
for external resolution.

What was your motivation for caching on the ISA server?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Ted said:
I have ISA 2004 working perfectly except that occasionally the client will
get a message back that the Gateway could not find an authoritative DNS
server for the domain....

The client is querying an internal DNS and then it forwards to the cahcing
server on ISA. everything is local to the client so the speed should be
there....I was thinking of increasing the DNS server forwarder timeout but
it
is currently set to 5 seconds which should be enough??

When I dont use ISA, the response is pretty fast so I'm not sure if this
is
the right move.

Any ideas?
Click to expand...
Click to expand...
Click to expand...
 
Back
Top