• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How should I optimize DNS

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> How should I optimize DNS Page: [1]
Message << Older Topic   Newer Topic >>
How should I optimize DNS - 20.Mar.2005 6:03:00 PM   


Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I am just setting up (still in pilot) an ISA 2K4 on Windows 2K3 in an AD integrated DNS. Our AD is setup with an empty root so our cacc.local DNS forwards to caccemptyroot.local DNS which in turn forwards to a DNS in our PIX controlled DMZ.

All clients have two DNS entries in their IPCONFIG. One is the local DC, and the second, a DC in the central site. The empty root domain is at the central site. The ISA server plays no part in the connectivity with the central site, serving only internet IPs.

The network is as follows:
local and local2<==>WAN router<==>central site<==>PIX<==>DMZ<==>PIX<==>internet
the two local subnets, both connected to separate ports on the WAN router, are where the ISA server sits between. The default gateway for all clients is the local internal ( while the default gateway for the ISA server is the external local2 (

Because ISA is an AD domain member, its DNS entries point to the local AD DC and the central site AD DC. Any DNS name resolution requests would (I presume) follow the same path using the same process of DNS servers and fowarders as the clients. I hope not to change the AD DNS nor the client DNS settings but wonder if there is something I can do directly on the ISA server.

I did read http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html but I am still not clear how my firewall clients and web proxy clients use DNS in relation to the ISA server. My existing MS Proxy2 server (to be replaced by ISA) does suffer some DNS resolution failures from time to time, and I have noticed the occaisional timeout with ISA. I don't have a snippet of the MSP2 error, but it does refer to a DNS error. The ISA error is as follows:
Technical Information (for support personnel)
Error Code 64: Host not available
Background: The gateway or proxy server lost connection to the Web server.
Date: 3/19/2005 7:11:43 PM
Server: FFISA.cacc.local
Source: Remote server

So far, the error has happened whilst attemting to retrieve a Google banner add whose URL starts with:
Post #: 1
RE: How should I optimize DNS - 20.Mar.2005 8:57:00 PM   


Posts: 509
Joined: 26.Nov.2003
From: SA
Status: offline
My recommendation is to have an internal DNS server that resolves internal and external requests. you then point your ISA to that server and there is a rule on the ISA server that allows that server to perform external DNS requests.



(in reply to LLigetfa)
Post #: 2
RE: How should I optimize DNS - 20.Mar.2005 9:22:00 PM   


Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Since my internal DNS does forward to the external DNS, that is basically what I have now. The only thing is that my primary DNS is my local DC which forwards to another DNS in the empty root which in turn forwards to the DNS in the DMZ that forwards to the internet. I was hoping that I could cut out a few middlemen.

Are you saying that my DNS is optimum and that there is no room for improvement?

On the issue of the 64 error, I did find, Topic: Error Code 64 Host not available - Problem solved that sounds very much like my problem. In my first post I did not bother to post the entire URL cuz it was so long, but as in the above topic, the excessive length is similar.
http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-7377574264531671&dt=1111259502995&lmt=1111259502&format=728x90_as&output=html&url=http%3A%2F%2Fwww.kixtart.org% 2Fubbthreads%2Fshowflat.php%3FCat%3D%26Board%3DUBB13%26Number%3D135170%26Forum%3DAll_Forums%26Words%3D%26Match%3DEntire%2520Phrase%26Searchpage%3D0%26Limit%3D250%26Old%3D2days%26Ma in%3D135170%26Search%3Dtrue%23Post135170&color_bg=ECF8FF&color_text=6F6F6F&color_link=0000CC&color_url=008000&color_border=B4D0DC&ad_type=text&ref=http%3A%2F%2Fwww.kixtart.org%2Fub bthreads%2Fdosearch.php%3FCat%3D%26Forum%3DAll_Forums%26Words%3D%26Match%3DEntire%2BPhrase%26Old%3D2days%26Limit%3D250&u_h=768&u_w=1024&u_ah=708&u_aw=1024&u_cd=32&u_tz=-360&u_his=2 &u_java=true

I will try the EnablePMTUDiscovery reg hack mentioned.

(in reply to LLigetfa)
Post #: 3
RE: How should I optimize DNS - 21.Mar.2005 6:43:00 AM   


Posts: 246
Joined: 3.Mar.2005
From: Wisconsin
Status: offline

Unless you see the need to have all three DNS servers you mentioned (second and the DMZ) to have a cache record for every lookup being initiated from the inside, you certainly could set your DC to forward directly to your ISP's external DNS server for external queries.

At the very least I would personally eliminate one of the two DNS forwarders unless there is a reason you're doing it this way.

Hope this helps.

(in reply to LLigetfa)
Post #: 4
RE: How should I optimize DNS - 21.Mar.2005 3:31:00 PM   


Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
The AD DC (DNS) is administered by CorpIT and I am DivIT. That was the reason I asked "if there is something I can do directly on the ISA server". That said, I do sit on the AD Change Advisory Board so if there is compelling reason to change the existing design, I could propose it.

So, what would be my other option, if any?

On the issue of the 64 errors, enabling EnablePMTUDiscovery cleared that up. I am not sure why, since my understanding about PMTU is that it relies on ICMP which AFAIK is blocked by the PIX. The local router is once again managed by the CorpIT WAN group and they are a secretive bunch so I doubt I can get details from them on MTU size.

(in reply to LLigetfa)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> How should I optimize DNS Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts