• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Why is TMG Sending DNS requests down Site-2-Site VPNs before sending to configured DNS server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Why is TMG Sending DNS requests down Site-2-Site VPNs before sending to configured DNS server Page: [1]
Login
Message << Older Topic   Newer Topic >>
Why is TMG Sending DNS requests down Site-2-Site VPNs b... - 17.Feb.2011 5:39:32 AM   
Marsdy

 

Posts: 15
Joined: 11.Apr.2005
Status: offline
I have a TMG Firewall with
 
- 3 NICs (Internal, External, DMZ) with network binding order of
 1. First = Internal,
 2. External,
 3. DMZ,
 4. Last = (Remote Access Cnnections)
- a number of PPTP site-2-site VPNs
- the DNS service running with
  - stub zones to my internal Active-Directory DNS domains
  - forwarders set up to my ISPs DNS servers
- internal NIC had DNS server set as itself and all other NICs have blank DNS entries
 
DHCP is configured so clients set their DNS server to the TMG Server
 
I am seeing a some odd DNS behaviour and in particular DNS requests that come from firewall clients that need to be forwarded are first sent down the various site-2-site VPNs to the DNS servers that those connections have configured rather than to my ISP which means DNS queries take quite a long time
 
There is similar post here although it talks about Web Proxy settings

http://forums.isaserver.org/m_2002106125/mpage_1/key_/tm.htm

I've tried going into RRAS and changing the DNS settings for the VPNs to be blank but they get over written by TMG and I can't see how to change them in TMG

Any ideas anyone?
Post #: 1
RE: Why is TMG Sending DNS requests down Site-2-Site VP... - 17.Feb.2011 8:23:22 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The firewall clients should be using the TMG firewall to resolve names on their behalf.

Are you seeing that the Firewall clients are trying to resolve names on their own?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Marsdy)
Post #: 2
RE: Why is TMG Sending DNS requests down Site-2-Site VP... - 17.Feb.2011 8:45:10 AM   
Marsdy

 

Posts: 15
Joined: 11.Apr.2005
Status: offline
Firewall clients are resolving through TMG (I think!)

If I run a network trace on the TMG Server and filter based on
(tcp.port == 53 or udp.Port == 53) and
(ipv4.address == 10.x.x.x <client IP> or ipv4.Address == <TMG External NIC Address>)

When I, for example, ping zzzzz.com from the client I observe
- no DNS requests coming from the client from which I conclude that DNS requests are coming down the client control channel
- DNS requests for zzzzz.com going out to all the various Site-2-Site VPN DNS Servers and then eventually to the External ISP DNS Server
- After about 12s a DNS request from the client directly to TMG with an immediate response

If I do an nslookup from the client then within < 1 second I see
- a DNS request form the client
- a DNS request and response to the External ISP DNS Server
- a DNS response to the client
Which is exactly what I want and would expect!!

(in reply to tshinder)
Post #: 3
RE: Why is TMG Sending DNS requests down Site-2-Site VP... - 17.Feb.2011 9:25:37 AM   
Marsdy

 

Posts: 15
Joined: 11.Apr.2005
Status: offline
Interestingly I tried to modify the system rule
[System] Allow DNS from Forefront TMG to selected servers

On the list of destinations, I removed the "All Networks" and added the two specific IP addresses we use for our ISP DNS Servers.

When I look at the properties of the rule the "To" tab only has the specific servers.  However, if I go to Edit System Rules and look, it has the entry for the ISP DNS Servers IN ADDITION TO "All Networks"

And indeed, it is still allowing DNS traffic to the VPN networks.

So I added some exceptions to explicitly add the VPN DNS Servers and the rule now blocks the traffic but it is still being sent on the external network

(in reply to Marsdy)
Post #: 4
RE: Why is TMG Sending DNS requests down Site-2-Site VP... - 17.Feb.2011 11:21:02 AM   
Marsdy

 

Posts: 15
Joined: 11.Apr.2005
Status: offline
Interestingly if I disable the firewall client or use nslookup on the client machine then it all works like a dream

If I enable the firewall client or do an NSLookup from the TMG server itself then it doesn't which is consistent with the conclusion that the TMG Server network stack is the thing that is at fault

(in reply to tshinder)
Post #: 5
RE: Why is TMG Sending DNS requests down Site-2-Site VP... - 18.Feb.2011 12:50:33 PM   
Marsdy

 

Posts: 15
Joined: 11.Apr.2005
Status: offline
Hi Tom, just wondered if you had any more thoughts on this before I raised a support incident with MS

Thanks,
Phil.

(in reply to tshinder)
Post #: 6
RE: Why is TMG Sending DNS requests down Site-2-Site VP... - 21.Feb.2011 4:59:16 PM   
ericwittersheim

 

Posts: 13
Joined: 15.Feb.2011
Status: offline
Do you host your own internal DNS? I would configure all your clients to look at internal DNS servers for lookups and then configure your internal DNS servers to use forwarders to your ISP.

(in reply to Marsdy)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Why is TMG Sending DNS requests down Site-2-Site VPNs before sending to configured DNS server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts