• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about Definitive Guide on Outbound DNS

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Discussion about Definitive Guide on Outbound DNS Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about Definitive Guide on Outbound DNS - 18.Jun.2007 8:49:51 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thead is for discussing the Definitive Guide on outbound DNS through the ISA Firewall at http://isaserver.org/tutorials/Definitive-Guide-ISA-Firewall-Outbound-DNS-Scenarios-Part1.html

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about Definitive Guide on Outbound DNS - 19.Jun.2007 12:28:01 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi Tom,

Another greate Article.

but i have one query about Direct Access, With ISA 2004 SP2 and later, shouldnt Direct Access be configured in this syntax : *.domain.com/*  ?

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to tshinder)
Post #: 2
RE: Discussion about Definitive Guide on Outbound DNS - 20.Jun.2007 9:21:17 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tarek,

I don't think the /* is required, as long as you have the domain name.

Do you have a reference that made you think that the /* would be required?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to elmajdal)
Post #: 3
RE: Discussion about Definitive Guide on Outbound DNS - 20.Jun.2007 9:40:17 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
Hi Tom,


From Stefaan blog :

quote:

  Now with the KB920716 hotfix, there is a clever way to regain the pre-SP2 behavior without losing the new branch office features introduced by ISA 2004 SP2, although you should specify the destinations as a URL instead of as an FQDN (e.g. *.hotmail.com/* instead of *.hotmail.com). In my opinion, that's a small price to pay. Here is a code snippet of the function FindProxyForURL(url, host) obtained with SP2 + KB920716:


source : http://blogs.isaserver.org/pouseele/2006/07/21/solving-the-directly-access-these-servers-or-domains-issue-in-isa-server-2004-sp2/


also, from MS :

quote:

Important : You must specify the directly-accessed domain by using a specific syntax. When you add a URL to the Directly access these servers or domains list, you must append a forward slash character together with an asterisk (/*) to the URL. For example, to enable Web Proxy clients to directly access www.example.com, add the following URL to the Directly access these servers or domains list:
*.example.com/*


Source :http://support.microsoft.com/kb/920715/


Tarek

< Message edited by elmajdal -- 20.Jun.2007 9:44:38 AM >


_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to tshinder)
Post #: 4
RE: Discussion about Definitive Guide on Outbound DNS - 21.Jun.2007 6:22:05 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Tarek,

I'm making the assumption that only FQDNs are being used in the Direct Access list. The KB says:

  • If the domain name is specified and if the list does not contain any IP address range, Web Proxy clients directly access the destination Web site.
  • If the domain name is specified and if the list contains an IP address range that does not include the IP address of the specified domain, Web Proxy client requests are proxied to the destination Web site.

So, if you use only FQDNs, you don't run into that problem and you don't need to use the workaround.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to elmajdal)
Post #: 5
RE: Discussion about Definitive Guide on Outbound DNS - 22.Jun.2007 5:15:36 AM   
ITEngineer

 

Posts: 270
Joined: 3.Feb.2006
Status: offline
Hi tshin, so the settings for ISA 2004 before SP2 can be left as it without the need to change anything, under one condition as you said, if i'm using only FQDN ?

(in reply to tshinder)
Post #: 6
RE: Discussion about Definitive Guide on Outbound DNS - 24.Jun.2007 1:32:30 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi ITE,

That's correct.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ITEngineer)
Post #: 7
RE: Discussion about Definitive Guide on Outbound DNS - 5.Jul.2007 1:37:09 PM   
pd48

 

Posts: 10
Joined: 23.Jan.2004
Status: offline
Tom,
When I initially set up my network, I had followed a very old DNS guide of yours and set up my internal caching DNS server as a stub zone for my internal domain.
Is there any real difference between using a stub zone and using a forwarder back to my internal DNS servers for my internal domain lookups?
Thanks.

Peter

(in reply to tshinder)
Post #: 8
RE: Discussion about Definitive Guide on Outbound DNS - 6.Jul.2007 2:54:15 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Peter,

No real difference -- you have to use a stub zone for pre-Windows 2003 DNS servers. In Win2003, you can use the conditional forwarding.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to pd48)
Post #: 9
RE: Discussion about Definitive Guide on Outbound DNS - 12.Jul.2007 2:53:41 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

ORIGINAL: tshinder

Hi Tarek,

I'm making the assumption that only FQDNs are being used in the Direct Access list. The KB says:
  • If the domain name is specified and if the list does not contain any IP address range, Web Proxy clients directly access the destination Web site.
  • If the domain name is specified and if the list contains an IP address range that does not include the IP address of the specified domain, Web Proxy client requests are proxied to the destination Web site.


So, if you use only FQDNs, you don't run into that problem and you don't need to use the workaround.

Tom


Interesting, Thanks Tom.

Tarek.

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to tshinder)
Post #: 10
RE: Discussion about Definitive Guide on Outbound DNS - 18.Jul.2007 9:30:14 PM   
alex3299

 

Posts: 44
Joined: 19.Mar.2003
From: Portugal
Status: offline
Hello.,

Why do you use the rule number 12, on the part 3 of the article, figure 6, in fact i don't see a reason to create deny rules, except for limiting the access of the users to allowed rules, like deny some HTTP traffic to certain sites, somes signatures programs, similar rules.

Now that rule number 12 Protocol Block it's a Joke, and the only reason that i see for it is logging to catch some infected user, or for configure an alert, you can see it either way by looking at the logs, or your alerts page in case of abnormal traffic of your users.

ISA is a good guard he only allow, what you tell him to allow.

Please explain to me what is the reason of the rule number 12 Protocol Block, so that i can understand it.

Thanks.,

Alex

(in reply to elmajdal)
Post #: 11
RE: Discussion about Definitive Guide on Outbound DNS - 20.Jul.2007 10:16:20 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alex,

That was a test machine with a lot of experimental rules on it. You can ignore it as it doesn't apply to the DNS article series.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to alex3299)
Post #: 12
RE: Discussion about Definitive Guide on Outbound DNS - 13.Aug.2007 9:50:32 AM   
catfish

 

Posts: 13
Joined: 22.Jun.2007
Status: offline
Hi Tom

I've finished implementing a solution that very closely mirrors your series of articles, specifically article 4 with 1 internal caching only server conditionally forwarding to our AD server for internal traffic, and forwarding all other traffic to our DMZ caching only server which in turn forwards to the ISP.

I'm very happy with it, however on our internal caching only server (which is our ISA proxy only server) we are getting a 'port exhaustion' problem, which is logged with microsoft, however i've installed wireshark to see if I can see better what is going on and I see that ALOT of reverse lookups for internal clients are hitting the server and being redirected to our DMZ. This is BAD because reverse lookups don't get redirected to the internal server.

I can't find much in the way of resources to tell me how to fix this, do I need to load a reverse lookup zone on the caching only server?

The config is working great apart from these 2 issues, I'm wondering if the port exhaustion is being caused by the reverse lookups (at least in part).

Would love to hear how you configure the reverse lookup stuff in this scenario.

Cheers

(in reply to tshinder)
Post #: 13
RE: Discussion about Definitive Guide on Outbound DNS - 13.Aug.2007 11:55:08 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Catfish,

Are the reverse lookups for internal or external host names?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to catfish)
Post #: 14
RE: Discussion about Definitive Guide on Outbound DNS - 13.Aug.2007 3:38:32 PM   
catfish

 

Posts: 13
Joined: 22.Jun.2007
Status: offline
Hi Tom,

they are internal reverse lookups. So to clarify it appears as if my internal traffic is routing correctly for forward lookups, but my DMZ caching only server is attempting to answer reverse lookups for my internal IP addresses that are sent to it from my internal caching only server, these aren't reverse lookups I'm actually performing either, I just noticed them while looking at network traffic.

Now that I'm writing this, I'm thinking that my internal forwarding might have a fault, I'm not sure I configured internal forwarding to have recursion disabled for both internal and external traffic. Could that be the cause? If I had recursion enabled from my internal domain, but disabled for my external forwarder, would it reverse lookup ip addresses to my DMZ server?

I'm going to test that in the office tomorrow but I think I'm missing something somewhere.

(in reply to tshinder)
Post #: 15
RE: Discussion about Definitive Guide on Outbound DNS - 14.Aug.2007 4:50:21 AM   
catfish

 

Posts: 13
Joined: 22.Jun.2007
Status: offline
Ok, have just had a chance to test this. Situation is as follows

I perform an internal lookup to Server1.mycompany.int
on wireshark
I see the query come from me to the ISA/DNS server.
I see the query from my DNS server to my AD DNS server.
*so far so good*
I see the ip address returned for server1.mycompany.int returned as 192.168.0.128
--------------------------------------------------------------------
I perform nslookup on 192.168.0.128
on wireshark
I see the query come from me to the ISA/DNS server
I see the query from my DNS server to my DMZ caching only server.
I see the correct response of 'Standard query response, no such name'

So from that I can tell that my configuration is sound in the sense that my cache DMZ server doesn't know about my internal network, but I'm not sure why the reverse lookups are being sent external.

How can you direct reverse traffic to the correct server without specifying a reverse lookup zone?

I've turned recursion off and on for internal traffic and same result so it isn't that.

(in reply to catfish)
Post #: 16
RE: Discussion about Definitive Guide on Outbound DNS - 14.Aug.2007 10:25:10 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Cat,

I've never noticed that much reverse lookup traffic on my configs -- but then I only put the caching only DNS server on the ISA Firewall for very small networks, like 25 hosts or less.

What you might try is to setup a secondary DNS zone on the ISA Firewall for the Internal reverse lookup zone.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to catfish)
Post #: 17
RE: Discussion about Definitive Guide on Outbound DNS - 14.Aug.2007 10:43:53 AM   
catfish

 

Posts: 13
Joined: 22.Jun.2007
Status: offline
I'm beginning to suspect that the ISA server is a bad location for a caching server due to the amount of traffic that already hits it for our network.

we are slightly less than 300 machines and around 40 servers with everything using the ISA server as proxy, which I think is probably causing the port exhaustion.

I'm not noticing a huge amound of lookups, I just noticed 1 or 2 and then started testing which made me think that the config had an error, which it appears to. I'm going to have a go at the reverse zone.

Could you explain your reasoning behind putting the caching only on ISA for small networks? Is it solely due to amount of traffic generated?


(in reply to tshinder)
Post #: 18
RE: Discussion about Definitive Guide on Outbound DNS - 15.Aug.2007 11:24:14 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Cat,

Sure. The only reason to put the caching only DNS server on the ISA Firewall for small networks is resource limitation, as I mentioned in the article. These small networks don't have/won't spend for a server that's dedicated to caching only DNS server duties.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to catfish)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Discussion about Definitive Guide on Outbound DNS Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts