• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DNS request timed out

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> DNS request timed out Page: [1]
Login
Message << Older Topic   Newer Topic >>
DNS request timed out - 23.Nov.2002 5:48:00 AM   
Guest
Hi,

I want to publish a internal DNS server to the public. The DNS server is NOT on the ISA server.

I have already do the following setup on ISA:
1. Packet Filters: DNS Lookup (UDP-53) out
2. Protocol Rules: DNS Lookup (UDP-53) out
3. DNS Publishing: DNS server publishing rule using DNS Query to INT DNS

However, when I try to "nslookup" from internet.

I encounter the following result:

> www.yahoo.com
Server: [202.130.86.163]
Address: 202.130.86.163

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [202.130.86.163] timed-out

I have check the port opened using NETSTAT, both port 53 in TCP and UDP are opened.

Could you give me some advice for this issue??
DO you think I need to do some modification in my Linux Redhat DNS Server??

Pls help..THANK you!
THEO
  Post #: 1
RE: DNS request timed out - 23.Nov.2002 11:27:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi THEO,

to publish an internal DNS server, you should use server publishing rules, NOT packet filters! Just make sure you use as mapped server protocols DNS Query Server *and* DNS Zone Transfer Server. Also, keep in mind that the internal DNS server should be configured as SecureNAT client (default gateway should point to the ISA internal interface).

HTH,
Stefaan

(in reply to Guest)
Post #: 2
RE: DNS request timed out - 23.Nov.2002 6:43:00 PM   
Guest
THX Stefaan,

Thanks again for your reply.

Indeed I have already do with the server publishing rules:DNS Query Server and DNS Zone Transfer Server. Also, the default gateway of the DNS server is already pointing to my Firewall Internal interface.

Still, Time out occur.

Do you think I need to have do some changes in the RedHat DNS server? How?

According to what you said, I do not have to deal with the packet filtering!?

Look forward to hearing from you soon
THEO

(in reply to Guest)
  Post #: 3
RE: DNS request timed out - 24.Nov.2002 12:05:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi THEO,

the server publishing rules will take care of the packet filtering. So, delete the custom created packet filers for the DNS.

One way to test your publishing rule is to grab the WinsockTool from http://www.isatools.org/ and test your DNS publishing rules with it. Another way of testing it is using the nslookup command and set the server to the ISA external IP where you published the DNS server on.

If something isn't working as expected, you should consult the ISA logfiles. They are your primary resource for debugging. To get the most information out of the logfiles, I strongly recommend to enable the logging of all fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All.
A lot of people seem to have problems with interpreting the logfiles. It isn't that difficult, but you should first understand what is logged. In the ISA helpfile there is a section called Firewall and Web Proxy log fields, a must read. Additional information can be found in the articles http://support.microsoft.com/default.aspx?scid=kb;en-us;Q284818 and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/windows_sockets_error_codes_2.asp .

HTH,
Stefaan

(in reply to Guest)
Post #: 4
RE: DNS request timed out - 16.Dec.2002 5:54:00 PM   
Guest
I have investigated the Firewall Log, I find many of the belowed Logs appear:

2002-12-16 04:41:03 <Dst IP> <DNS IP> Udp 47709 53 - BLOCKED

Indeed I have already publish this DNS server using protocols, DNS Query Server and DNS Zone Trnasfer Server. Also, I have allow ANY protrol in BOTH direction in the Packet filtering.

However, "DNS request timed out. timeout was 2 seconds." appear again.

can you point out anything I have missed in ISA setting, and also, in RedHat Linux or Network Solution registeration??

This issue is getting close to dead line and I have to solve it, pls help!

THEO

(in reply to Guest)
  Post #: 5
RE: DNS request timed out - 16.Dec.2002 10:26:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi THEO,

assuming you have the proper DNS publishing rules in place:
1) get rid of that ugly custom IP packet filter.
2) enable ISA to log ALL fields in the IP Packet, Firewall and Web proxy log.
3) restart the Firewall service or even better reboot the ISA server.

Make a new test and post an excerpt of the Firewall *and* Packet filter log unmodified and within the same time window. Also, are there any error/warning messages in the event log?

HTH,
Stefaan

(in reply to Guest)
Post #: 6
RE: DNS request timed out - 17.Dec.2002 10:00:00 AM   
Guest
Thank you.

I have removed those packet filter already.

In the Application Log, I find a event:
Source: Microsoft Firewall
Type:Warning
Event ID:14163
Server publishing rule [NS2 DNS Query Server] that maps 192.168.3.7:53 UDP to <External IP>:53 for protocol [DNS Query Server] failed because the port on the external interface is being used by another application. The Firewall service failed to bind socket for the server on the firewall since another process is using the same port. Check for any other process using the same port and terminate if necessary.

Also, in the log of packet filter, I can still have the following logs:

2002-12-17 08:24:31 <Src IP> <DNS IP> Udp 34745 53

It seems that UDP 53 is blocked already, although I can see the port is opened using NETSTAT.

THANK you again

(in reply to Guest)
  Post #: 7
RE: DNS request timed out - 17.Dec.2002 9:57:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi THEO,

aha, your DNS publishing rule isn't working at all. Either you have already a DNS server running on ISA or published already another DNS server. So, it's time to cleanup your DNS infrastructure! [Razz]

To find some good articles, do a site search on the keyword DNS.

HTH,
Stefaan

(in reply to Guest)
Post #: 8
RE: DNS request timed out - 18.Dec.2002 5:15:00 AM   
Guest
Hi,
Thx for your reply..

But can you point out which part I am wrong?

Is it complicate to publish a DNS server??

The DNS can be access internally, and also from externally in the past when I am using checkpoint.

so I don't think it is DNS server problem.
Thank you.
THEO

(in reply to Guest)
  Post #: 9
RE: DNS request timed out - 18.Dec.2002 10:28:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi THEO,

please, read my previous post again! [Razz]

It is telling you that the DNS publishing rule can't work because the UDP/TCP port 53 is already in use by another program on ISA. So, you should find out which program on ISA is already using the UDP/TCP port 53.

HTH,
Stefaan

(in reply to Guest)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Server Publishing >> DNS request timed out Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts