- 3 NICs (Internal, External, DMZ) with network binding order of 1. First = Internal, 2. External, 3. DMZ, 4. Last = (Remote Access Cnnections) - a number of PPTP site-2-site VPNs - the DNS service running with - stub zones to my internal Active-Directory DNS domains - forwarders set up to my ISPs DNS servers - internal NIC had DNS server set as itself and all other NICs have blank DNS entries
DHCP is configured so clients set their DNS server to the TMG Server
I am seeing a some odd DNS behaviour and in particular DNS requests that come from firewall clients that need to be forwarded are first sent down the various site-2-site VPNs to the DNS servers that those connections have configured rather than to my ISP which means DNS queries take quite a long time
There is similar post here although it talks about Web Proxy settings
Firewall clients are resolving through TMG (I think!)
If I run a network trace on the TMG Server and filter based on (tcp.port == 53 or udp.Port == 53) and (ipv4.address == 10.x.x.x <client IP> or ipv4.Address == <TMG External NIC Address>)
When I, for example, ping zzzzz.com from the client I observe - no DNS requests coming from the client from which I conclude that DNS requests are coming down the client control channel - DNS requests for zzzzz.com going out to all the various Site-2-Site VPN DNS Servers and then eventually to the External ISP DNS Server - After about 12s a DNS request from the client directly to TMG with an immediate response
If I do an nslookup from the client then within < 1 second I see - a DNS request form the client - a DNS request and response to the External ISP DNS Server - a DNS response to the client Which is exactly what I want and would expect!!
Interestingly I tried to modify the system rule [System] Allow DNS from Forefront TMG to selected servers
On the list of destinations, I removed the "All Networks" and added the two specific IP addresses we use for our ISP DNS Servers.
When I look at the properties of the rule the "To" tab only has the specific servers. However, if I go to Edit System Rules and look, it has the entry for the ISP DNS Servers IN ADDITION TO "All Networks"
And indeed, it is still allowing DNS traffic to the VPN networks.
So I added some exceptions to explicitly add the VPN DNS Servers and the rule now blocks the traffic but it is still being sent on the external network