- 3 NICs (Internal, External, DMZ) with network binding order of 1. First = Internal, 2. External, 3. DMZ, 4. Last = (Remote Access Cnnections) - a number of PPTP site-2-site VPNs - the DNS service running with - stub zones to my internal Active-Directory DNS domains - forwarders set up to my ISPs DNS servers - internal NIC had DNS server set as itself and all other NICs have blank DNS entries
DHCP is configured so clients set their DNS server to the TMG Server
I am seeing a some odd DNS behaviour and in particular DNS requests that come from firewall clients that need to be forwarded are first sent down the various site-2-site VPNs to the DNS servers that those connections have configured rather than to my ISP which means DNS queries take quite a long time
There is similar post here although it talks about Web Proxy settings
I've tried going into RRAS and changing the DNS settings for the VPNs to be blank but they get over written by TMG and I can't see how to change them in TMG
Firewall clients are resolving through TMG (I think!)
If I run a network trace on the TMG Server and filter based on (tcp.port == 53 or udp.Port == 53) and (ipv4.address == 10.x.x.x <client IP> or ipv4.Address == <TMG External NIC Address>)
When I, for example, ping zzzzz.com from the client I observe - no DNS requests coming from the client from which I conclude that DNS requests are coming down the client control channel - DNS requests for zzzzz.com going out to all the various Site-2-Site VPN DNS Servers and then eventually to the External ISP DNS Server - After about 12s a DNS request from the client directly to TMG with an immediate response
If I do an nslookup from the client then within < 1 second I see - a DNS request form the client - a DNS request and response to the External ISP DNS Server - a DNS response to the client Which is exactly what I want and would expect!!
Interestingly I tried to modify the system rule [System] Allow DNS from Forefront TMG to selected servers
On the list of destinations, I removed the "All Networks" and added the two specific IP addresses we use for our ISP DNS Servers.
When I look at the properties of the rule the "To" tab only has the specific servers. However, if I go to Edit System Rules and look, it has the entry for the ISP DNS Servers IN ADDITION TO "All Networks"
And indeed, it is still allowing DNS traffic to the VPN networks.
So I added some exceptions to explicitly add the VPN DNS Servers and the rule now blocks the traffic but it is still being sent on the external network
Interestingly if I disable the firewall client or use nslookup on the client machine then it all works like a dream
If I enable the firewall client or do an NSLookup from the TMG server itself then it doesn't which is consistent with the conclusion that the TMG Server network stack is the thing that is at fault
Do you host your own internal DNS? I would configure all your clients to look at internal DNS servers for lookups and then configure your internal DNS servers to use forwarders to your ISP.