External DNS on TMG (Full Version)

All Forums >> [Threat Management Gateway (TMG) 2010] >> Installation



Message


rkgraves -> External DNS on TMG (15.Jul.2010 10:11:29 PM)

Thank you for your help!

On ISA 2006 we hosted our external DNS on the ISA server. I followed the recommendations from Dr. Schinder's article. That is to publish the DNS server to listen on the external interface but answer on the internal interface (hope this makes sense).

My question is; we are replacing our two ISA 2006 server with two virtual TMG servers and I want to again install our external DNS on the TMG servers and publish it using the same technique used with ISA 2006.

Before doing this I wanted to check and see if this is still and acceptable practice?

Thank you for your help and input!

Best Regards,
Randy Graves




impire -> RE: External DNS on TMG (16.Jul.2010 12:33:42 PM)

I would like to add another question to this post.

What type of protection does TMG provide for the DNS servers? I always want our DNS servers to be performing at its best speed. By having it behind a firewall, it may slow down the DNS queries?

quote:

ORIGINAL: rkgraves

Thank you for your help!

On ISA 2006 we hosted our external DNS on the ISA server. I followed the recommendations from Dr. Schinder's article. That is to publish the DNS server to listen on the external interface but answer on the internal interface (hope this makes sense).

My question is; we are replacing our two ISA 2006 server with two virtual TMG servers and I want to again install our external DNS on the TMG servers and publish it using the same technique used with ISA 2006.

Before doing this I wanted to check and see if this is still and acceptable practice?

Thank you for your help and input!

Best Regards,
Randy Graves




robpomeroy -> RE: External DNS on TMG (28.Jul.2010 10:08:33 AM)

Not that this will help, but I quickly gave up attempting to install DNS on my new TMG server.  Since TMG is not (supposed to be) a domain controller, in order to get DNS to talk to Active Directory, you have to comprehend ADAM.  I'm afraid I gave up and set up DNS forwarders on my two domain controllers instead.

@impire: Actually this seems to be working better (more quickly) than my previous setup where ISA 2004 was both firewall and DNS server.  I have my outgoing DNS access rule high in the policy list (#2) which I suspect ensures reasonably rapid evaluation.  I've not timed it, but DNS queries appear to be much more responsive than they were under ISA 2004.




impire -> RE: External DNS on TMG (28.Jul.2010 2:44:40 PM)

Thank you robpomeroy. Some of the DNS server software have built-in security (TinyDNS, NSD, etc.). I was asking whether or not these really need to be behind the TMG or ISA. Since the DNS servers already have protection within them self, what other protection/benefit can TMG or ISA can provide?

In theory, the DNS responses behind a firewall may not be faster than the one in front of it. The bottom line is if it doesn't make that much different in speed, then perhaps having the DNS servers behind the firewall is best practice?

quote:

ORIGINAL: robpomeroy

Not that this will help, but I quickly gave up attempting to install DNS on my new TMG server.  Since TMG is not (supposed to be) a domain controller, in order to get DNS to talk to Active Directory, you have to comprehend ADAM.  I'm afraid I gave up and set up DNS forwarders on my two domain controllers instead.

@impire: Actually this seems to be working better (more quickly) than my previous setup where ISA 2004 was both firewall and DNS server.  I have my outgoing DNS access rule high in the policy list (#2) which I suspect ensures reasonably rapid evaluation.  I've not timed it, but DNS queries appear to be much more responsive than they were under ISA 2004.




Jason Jones -> RE: External DNS on TMG (28.Jul.2010 3:50:52 PM)

TMG (like ISA before it) has an in-built DNS filter. This is employed when you use server publishing rules with the DNS Server protocol as provides specific protocol related protection...

http://www.isaserver.org/tutorials/Configure-ISA-Enable-DNS-ID-filter.html

Cheers

JJ




Page: [1]