• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

External DNS on TMG

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> Installation >> External DNS on TMG Page: [1]
Login
Message << Older Topic   Newer Topic >>
External DNS on TMG - 15.Jul.2010 10:11:29 PM   
rkgraves

 

Posts: 1
Joined: 15.Jul.2010
Status: offline
Thank you for your help!

On ISA 2006 we hosted our external DNS on the ISA server. I followed the recommendations from Dr. Schinder's article. That is to publish the DNS server to listen on the external interface but answer on the internal interface (hope this makes sense).

My question is; we are replacing our two ISA 2006 server with two virtual TMG servers and I want to again install our external DNS on the TMG servers and publish it using the same technique used with ISA 2006.

Before doing this I wanted to check and see if this is still and acceptable practice?

Thank you for your help and input!

Best Regards,
Randy Graves
Post #: 1
RE: External DNS on TMG - 16.Jul.2010 12:33:42 PM   
impire

 

Posts: 9
Joined: 12.Jul.2010
Status: offline
I would like to add another question to this post.

What type of protection does TMG provide for the DNS servers? I always want our DNS servers to be performing at its best speed. By having it behind a firewall, it may slow down the DNS queries?

quote:

ORIGINAL: rkgraves

Thank you for your help!

On ISA 2006 we hosted our external DNS on the ISA server. I followed the recommendations from Dr. Schinder's article. That is to publish the DNS server to listen on the external interface but answer on the internal interface (hope this makes sense).

My question is; we are replacing our two ISA 2006 server with two virtual TMG servers and I want to again install our external DNS on the TMG servers and publish it using the same technique used with ISA 2006.

Before doing this I wanted to check and see if this is still and acceptable practice?

Thank you for your help and input!

Best Regards,
Randy Graves

(in reply to rkgraves)
Post #: 2
RE: External DNS on TMG - 28.Jul.2010 10:08:33 AM   
robpomeroy

 

Posts: 34
Joined: 19.Mar.2010
Status: offline
Not that this will help, but I quickly gave up attempting to install DNS on my new TMG server.  Since TMG is not (supposed to be) a domain controller, in order to get DNS to talk to Active Directory, you have to comprehend ADAM.  I'm afraid I gave up and set up DNS forwarders on my two domain controllers instead.

@impire: Actually this seems to be working better (more quickly) than my previous setup where ISA 2004 was both firewall and DNS server.  I have my outgoing DNS access rule high in the policy list (#2) which I suspect ensures reasonably rapid evaluation.  I've not timed it, but DNS queries appear to be much more responsive than they were under ISA 2004.

_____________________________

Author of the fantasy thriller, Insensate - available for all ebook readers and iDevices. Find out more >here<. Only 49p/99!

(in reply to rkgraves)
Post #: 3
RE: External DNS on TMG - 28.Jul.2010 2:44:40 PM   
impire

 

Posts: 9
Joined: 12.Jul.2010
Status: offline
Thank you robpomeroy. Some of the DNS server software have built-in security (TinyDNS, NSD, etc.). I was asking whether or not these really need to be behind the TMG or ISA. Since the DNS servers already have protection within them self, what other protection/benefit can TMG or ISA can provide?

In theory, the DNS responses behind a firewall may not be faster than the one in front of it. The bottom line is if it doesn't make that much different in speed, then perhaps having the DNS servers behind the firewall is best practice?

quote:

ORIGINAL: robpomeroy

Not that this will help, but I quickly gave up attempting to install DNS on my new TMG server.  Since TMG is not (supposed to be) a domain controller, in order to get DNS to talk to Active Directory, you have to comprehend ADAM.  I'm afraid I gave up and set up DNS forwarders on my two domain controllers instead.

@impire: Actually this seems to be working better (more quickly) than my previous setup where ISA 2004 was both firewall and DNS server.  I have my outgoing DNS access rule high in the policy list (#2) which I suspect ensures reasonably rapid evaluation.  I've not timed it, but DNS queries appear to be much more responsive than they were under ISA 2004.

(in reply to robpomeroy)
Post #: 4
RE: External DNS on TMG - 28.Jul.2010 3:50:52 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
TMG (like ISA before it) has an in-built DNS filter. This is employed when you use server publishing rules with the DNS Server protocol as provides specific protocol related protection...

http://www.isaserver.org/tutorials/Configure-ISA-Enable-DNS-ID-filter.html

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to impire)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> Installation >> External DNS on TMG Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts