I want to publish a internal DNS server to the public. The DNS server is NOT on the ISA server.
I have already do the following setup on ISA: 1. Packet Filters: DNS Lookup (UDP-53) out 2. Protocol Rules: DNS Lookup (UDP-53) out 3. DNS Publishing: DNS server publishing rule using DNS Query to INT DNS
to publish an internal DNS server, you should use server publishing rules, NOT packet filters! Just make sure you use as mapped server protocols DNS Query Server *and* DNS Zone Transfer Server. Also, keep in mind that the internal DNS server should be configured as SecureNAT client (default gateway should point to the ISA internal interface).
RE: DNS request timed out - 23.Nov.2002 6:43:00 PM
Thanks again for your reply.
Indeed I have already do with the server publishing rules:DNS Query Server and DNS Zone Transfer Server. Also, the default gateway of the DNS server is already pointing to my Firewall Internal interface.
Still, Time out occur.
Do you think I need to have do some changes in the RedHat DNS server? How?
According to what you said, I do not have to deal with the packet filtering!?
the server publishing rules will take care of the packet filtering. So, delete the custom created packet filers for the DNS.
One way to test your publishing rule is to grab the WinsockTool from http://www.isatools.org/ and test your DNS publishing rules with it. Another way of testing it is using the nslookup command and set the server to the ISA external IP where you published the DNS server on.
If something isn't working as expected, you should consult the ISA logfiles. They are your primary resource for debugging. To get the most information out of the logfiles, I strongly recommend to enable the logging of all fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All. A lot of people seem to have problems with interpreting the logfiles. It isn't that difficult, but you should first understand what is logged. In the ISA helpfile there is a section called Firewall and Web Proxy log fields, a must read. Additional information can be found in the articles http://support.microsoft.com/default.aspx?scid=kb;en-us;Q284818 and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/windows_sockets_error_codes_2.asp .
assuming you have the proper DNS publishing rules in place: 1) get rid of that ugly custom IP packet filter. 2) enable ISA to log ALL fields in the IP Packet, Firewall and Web proxy log. 3) restart the Firewall service or even better reboot the ISA server.
Make a new test and post an excerpt of the Firewall *and* Packet filter log unmodified and within the same time window. Also, are there any error/warning messages in the event log?
RE: DNS request timed out - 17.Dec.2002 10:00:00 AM
I have removed those packet filter already.
In the Application Log, I find a event: Source: Microsoft Firewall Type:Warning Event ID:14163 Server publishing rule [NS2 DNS Query Server] that maps 192.168.3.7:53 UDP to <External IP>:53 for protocol [DNS Query Server] failed because the port on the external interface is being used by another application. The Firewall service failed to bind socket for the server on the firewall since another process is using the same port. Check for any other process using the same port and terminate if necessary.
Also, in the log of packet filter, I can still have the following logs:
It is telling you that the DNS publishing rule can't work because the UDP/TCP port 53 is already in use by another program on ISA. So, you should find out which program on ISA is already using the UDP/TCP port 53.