Discussion about Definitive Guide on Outbound DNS

Discussion about Definitive Guide on Outbound DNS (Full Version)

All Forums >> [ISA 2006 Firewall] >> Network Infrastructure

Message

tshinder -> Discussion about Definitive Guide on Outbound DNS (18.Jun.2007 8:49:51 AM)
This thead is for discussing the Definitive Guide on outbound DNS through the ISA Firewall at http://isaserver.org/tutorials/Definitive-Guide-ISA-Firewall-Outbound-DNS-Scenarios-Part1.html HTH, Tom

elmajdal -> RE: Discussion about Definitive Guide on Outbound DNS (19.Jun.2007 12:28:01 PM)
Hi Tom, Another greate Article. but i have one query about Direct Access, With ISA 2004 SP2 and later, shouldnt Direct Access be configured in this syntax : .domain.com/ ?

tshinder -> RE: Discussion about Definitive Guide on Outbound DNS (20.Jun.2007 9:21:17 AM)
Hi Tarek, I don't think the /* is required, as long as you have the domain name. Do you have a reference that made you think that the /* would be required? Tom

elmajdal -> RE: Discussion about Definitive Guide on Outbound DNS (20.Jun.2007 9:40:17 AM)
Hi Tom, From Stefaan blog : quote: Now with the KB920716 hotfix, there is a clever way to regain the pre-SP2 behavior without losing the new branch office features introduced by ISA 2004 SP2, although you should specify the destinations as a URL instead of as an FQDN (e.g. .hotmail.com/ instead of .hotmail.com). In my opinion, that's a small price to pay. Here is a code snippet of the function FindProxyForURL(url, host)* obtained with SP2 + KB920716: source : http://blogs.isaserver.org/pouseele/2006/07/21/solving-the-directly-access-these-servers-or-domains-issue-in-isa-server-2004-sp2/ also, from MS : quote: Important : You must specify the directly-accessed domain by using a specific syntax. When you add a URL to the Directly access these servers or domains list, you must append a forward slash character together with an asterisk (/) to the URL. For example, to enable Web Proxy clients to directly access www.example.com, add the following URL to the Directly access these servers or domains list: .example.com/* Source :http://support.microsoft.com/kb/920715/ Tarek

tshinder -> RE: Discussion about Definitive Guide on Outbound DNS (21.Jun.2007 6:22:05 PM)
Hi Tarek, I'm making the assumption that only FQDNs are being used in the Direct Access list. The KB says: If the domain name is specified and if the list does not contain any IP address range, Web Proxy clients directly access the destination Web site. If the domain name is specified and if the list contains an IP address range that does not include the IP address of the specified domain, Web Proxy client requests are proxied to the destination Web site. So, if you use only FQDNs, you don't run into that problem and you don't need to use the workaround. Tom

ITEngineer -> RE: Discussion about Definitive Guide on Outbound DNS (22.Jun.2007 5:15:36 AM)
Hi tshin, so the settings for ISA 2004 before SP2 can be left as it without the need to change anything, under one condition as you said, if i'm using only FQDN ?

tshinder -> RE: Discussion about Definitive Guide on Outbound DNS (24.Jun.2007 1:32:30 PM)
Hi ITE, That's correct. Tom

pd48 -> RE: Discussion about Definitive Guide on Outbound DNS (5.Jul.2007 1:37:09 PM)
Tom, When I initially set up my network, I had followed a very old DNS guide of yours and set up my internal caching DNS server as a stub zone for my internal domain. Is there any real difference between using a stub zone and using a forwarder back to my internal DNS servers for my internal domain lookups? Thanks. Peter

tshinder -> RE: Discussion about Definitive Guide on Outbound DNS (6.Jul.2007 2:54:15 PM)
Hi Peter, No real difference -- you have to use a stub zone for pre-Windows 2003 DNS servers. In Win2003, you can use the conditional forwarding. Tom

elmajdal -> RE: Discussion about Definitive Guide on Outbound DNS (12.Jul.2007 2:53:41 PM)
quote: ORIGINAL: tshinder Hi Tarek, I'm making the assumption that only FQDNs are being used in the Direct Access list. The KB says: If the domain name is specified and if the list does not contain any IP address range, Web Proxy clients directly access the destination Web site. If the domain name is specified and if the list contains an IP address range that does not include the IP address of the specified domain, Web Proxy client requests are proxied to the destination Web site. So, if you use only FQDNs, you don't run into that problem and you don't need to use the workaround. Tom Interesting, Thanks Tom. Tarek.

alex3299 -> RE: Discussion about Definitive Guide on Outbound DNS (18.Jul.2007 9:30:14 PM)
Hello., Why do you use the rule number 12, on the part 3 of the article, figure 6, in fact i don't see a reason to create deny rules, except for limiting the access of the users to allowed rules, like deny some HTTP traffic to certain sites, somes signatures programs, similar rules. Now that rule number 12 Protocol Block it's a Joke, and the only reason that i see for it is logging to catch some infected user, or for configure an alert, you can see it either way by looking at the logs, or your alerts page in case of abnormal traffic of your users. ISA is a good guard he only allow, what you tell him to allow. Please explain to me what is the reason of the rule number 12 Protocol Block, so that i can understand it. Thanks., Alex

tshinder -> RE: Discussion about Definitive Guide on Outbound DNS (20.Jul.2007 10:16:20 AM)
Hi Alex, That was a test machine with a lot of experimental rules on it. You can ignore it as it doesn't apply to the DNS article series. HTH, Tom

catfish -> RE: Discussion about Definitive Guide on Outbound DNS (13.Aug.2007 9:50:32 AM)
Hi Tom I've finished implementing a solution that very closely mirrors your series of articles, specifically article 4 with 1 internal caching only server conditionally forwarding to our AD server for internal traffic, and forwarding all other traffic to our DMZ caching only server which in turn forwards to the ISP. I'm very happy with it, however on our internal caching only server (which is our ISA proxy only server) we are getting a 'port exhaustion' problem, which is logged with microsoft, however i've installed wireshark to see if I can see better what is going on and I see that ALOT of reverse lookups for internal clients are hitting the server and being redirected to our DMZ. This is BAD because reverse lookups don't get redirected to the internal server. I can't find much in the way of resources to tell me how to fix this, do I need to load a reverse lookup zone on the caching only server? The config is working great apart from these 2 issues, I'm wondering if the port exhaustion is being caused by the reverse lookups (at least in part). Would love to hear how you configure the reverse lookup stuff in this scenario. Cheers

tshinder -> RE: Discussion about Definitive Guide on Outbound DNS (13.Aug.2007 11:55:08 AM)
Hi Catfish, Are the reverse lookups for internal or external host names? Thanks! Tom

catfish -> RE: Discussion about Definitive Guide on Outbound DNS (13.Aug.2007 3:38:32 PM)
Hi Tom, they are internal reverse lookups. So to clarify it appears as if my internal traffic is routing correctly for forward lookups, but my DMZ caching only server is attempting to answer reverse lookups for my internal IP addresses that are sent to it from my internal caching only server, these aren't reverse lookups I'm actually performing either, I just noticed them while looking at network traffic. Now that I'm writing this, I'm thinking that my internal forwarding might have a fault, I'm not sure I configured internal forwarding to have recursion disabled for both internal and external traffic. Could that be the cause? If I had recursion enabled from my internal domain, but disabled for my external forwarder, would it reverse lookup ip addresses to my DMZ server? I'm going to test that in the office tomorrow but I think I'm missing something somewhere.

catfish -> RE: Discussion about Definitive Guide on Outbound DNS (14.Aug.2007 4:50:21 AM)
Ok, have just had a chance to test this. Situation is as follows I perform an internal lookup to Server1.mycompany.int on wireshark I see the query come from me to the ISA/DNS server. I see the query from my DNS server to my AD DNS server. so far so good I see the ip address returned for server1.mycompany.int returned as 192.168.0.128 -------------------------------------------------------------------- I perform nslookup on 192.168.0.128 on wireshark I see the query come from me to the ISA/DNS server I see the query from my DNS server to my DMZ caching only server. I see the correct response of 'Standard query response, no such name' So from that I can tell that my configuration is sound in the sense that my cache DMZ server doesn't know about my internal network, but I'm not sure why the reverse lookups are being sent external. How can you direct reverse traffic to the correct server without specifying a reverse lookup zone? I've turned recursion off and on for internal traffic and same result so it isn't that.

tshinder -> RE: Discussion about Definitive Guide on Outbound DNS (14.Aug.2007 10:25:10 AM)
Hi Cat, I've never noticed that much reverse lookup traffic on my configs -- but then I only put the caching only DNS server on the ISA Firewall for very small networks, like 25 hosts or less. What you might try is to setup a secondary DNS zone on the ISA Firewall for the Internal reverse lookup zone. HTH, Tom

catfish -> RE: Discussion about Definitive Guide on Outbound DNS (14.Aug.2007 10:43:53 AM)
I'm beginning to suspect that the ISA server is a bad location for a caching server due to the amount of traffic that already hits it for our network. we are slightly less than 300 machines and around 40 servers with everything using the ISA server as proxy, which I think is probably causing the port exhaustion. I'm not noticing a huge amound of lookups, I just noticed 1 or 2 and then started testing which made me think that the config had an error, which it appears to. I'm going to have a go at the reverse zone. Could you explain your reasoning behind putting the caching only on ISA for small networks? Is it solely due to amount of traffic generated?

tshinder -> RE: Discussion about Definitive Guide on Outbound DNS (15.Aug.2007 11:24:14 AM)
Hi Cat, Sure. The only reason to put the caching only DNS server on the ISA Firewall for small networks is resource limitation, as I mentioned in the article. These small networks don't have/won't spend for a server that's dedicated to caching only DNS server duties. HTH, Tom

Page: [1]