From: Costa Rica
Hi all. I've been publishing several DNS servers on the same ISA machine with no problems. They work great. But now I'm trying to publish a DNS on an internal W2K box and .... no success. If try to make a query using nslookup and start network monitor, I found that the query reaches the internal DNS Server but the reply does not reach back to the client. I placed a packet filter receive/send - send/receive - up/down on Local UPD/53 and nothing. If I allow Zone transfers and open TCP/53 the transfer works immediatelly. From time to time the DNS replies but that is 1 in 20 queries. The problem is with UPD. I found an KB article Q312640 that states:
"A DNS server that is configured as a secure NAT or firewall client to ISA Server may stop resolving names. When you restart the DNS service on the internal DNS server or restart the Firewall service on the ISA Server computer, the problem is temporarily resolved. A Network Monitor trace may show that the ISA Server computer is returning "Destination Port Unreachable". This issue could also occur with a UDP program other than DNS."
The ISA Server has SP1. This is a big issue! Any help will be great. Thanks.
From: Recife, PE, Brazil
I have the same problem, but when you query with timeout between 10-20 second (default is 02seconds, just for remember), i can get the answers and this problem continues until i restart the server. After restart, the answer stay fine for a unknown time, reappearing the problem after 01 day/week/month (i just now the problem is occurring, after stops receive mails because the senders cannot resolve mx record)...
If you now a solution (I already running W2k SP2 w/ ISA SP1), please answer us... I have this problem in 04 ISA servers on 04 internet different networks and 04 different servers & nics.
PS: My english is under construction.
quote:Originally posted by tshinder: Hi Alejandro,
Are the DNS servers on the ISA Server contending for the port on the external interface of the ISA Server and preventing publishing?
Here's my scenario which works great and I think addresses your issues.
MachineA - Active Directory enabled DNS (PDC) MachineB - DNS Server for Hosted Internet Sites MachineC - ISA Server with caching only DNS
The idea is to provide DNS services for the Active Directory, the Hosted Internet Sites, AND external internet queries for your internal clients, and also to publish the Hosted Internet Sites to external clients.
MachineC runs DNS server in caching only mode (no zone files) with recursion turned ON. ISA on this machine uses standard Server Publishing rules to publish the DNS server on MachineB for external clients.
MachineB contains the zone files ONLY for the Hosted Sites and has recursion DISABLED. It also has MachineC listed as its default gateway.
The DNS server on MachineA (which has all the Active Directory entries) is configured to use Forwarders without recursion. The first forwarder is to MachineB, the second is to MachineC. MachineA itself has recursion enabled (its only off for the Forwarders).
The client machine has only one DNS entry pointing to MachineA. MachineA tries to resolve the request against the Active Directory. Failing that it goes to the forwarders trying first to resolve against the locally hosted internet sites and then to the ISA server which handles external internet name resolution.
External clients get name resolution directly thru the ISA Server Publishing rules. Since MachineC is listed as the default gateway, query requests know how to find their way back to the ISA box.