My external DNS is behind an ISA server. When I do an NSLOOKUP command from an external location it comes up negative Or when I try to delegate control from the hosting company we got it from. The error comes up, cannot find nameserver. I published my DNS server so it is supposed to redirect packets destined to the DNS server, right? If anyone has any Ideas or suggestions or even something I missed,It would be very apreciated.
Well, if you've done as the instructions said (kind of hard to miss since they are clear) and you are still not geting anything through from the outside.....well, welcome! You're not alone!
I have an ISA that publishes web, ftp and dns located on one internal server. Can access it with web and ftp from the outside and I can do ANYTHING from the server against to outside.... but DNS just wont work for more then a few hours, then it stops forwarding until I have rebooted the ISA! All the time internal DNS queries to teh server responds quickly and correct.
I would say that you shouldn't need access to an internal DNS server from outside the firewall. The only type of resolution that should be necessary from outside is to locate the firewall itself, and this can be done from any DNS server out there. I have this opinion because DNS is very hard to secure, and it holds some very important info (like the IP address of every system on the internal network....). If you need to delegate a subdomain, can you setup a VPN connection between the sub-domain server's network and the ISA server? If you do that, IP traffic would be encrypted (by either PPTP or L2TP depending on how you want to set it up), and you wouldn't need to worry about DNS publishing. The only drawback would be a little overhead on the traffic.
Well said Bruce, i read many posts like this, and i dont fully understand why admins feel the need to make an internal DNS server publicly available. All that you should need is to point any and all records to the external interface of ISA, and keep your internal DNS servers internal.
Thanks for the compliment, skipster! I have found that the vast majority of Microsoft Network/Server Administrators don't really understand DNS.... I don't mean this as an insult either, as it can be a very complex topic and it's not explained really well by any of MS's documentation.
One2look4 - It's important to remember that an external client is on a very untrusted network, and everything they will access has to go through the ISA server. Therefore, you want ISA to control _all_ access to internal resources. The easiest way to make sure this happens is to open as few ports as possible on the external (some call it the north) NIC of the ISA box. Since all external clients will already have a DNS configuration supplied by their ISP, they don't need to access your DNS server. You might say they need to locate the resources you are publishing, but remember that the external client doesn't need to locate the resources - ISA does! The resources are all accessible via the north interface of the ISA server from outside, and the only way they're going to get to the north interface is by doing a DNS lookup to find the ISA server, so..... IMHO, the only clients that should be accessing your internal DNS are _internal_ clients.
As for setting up a delegated zone, that should be encrypted anyway (in particular if you're going to have directory information in that zone).
Hope that helps to sort some of the fuzzy stuff out.
Thank you for the constructive criticism. I knew I eventually needed to buy a router. But how could you temporarily set that up? What do think about a Secured(SSL)connection from the ISA to the DNS Server scenario? If you could also recommend some good literature on DNS configurations or scenarios? Thanks again! aka hungry and eager!
OK, I see that a lot of you out there are not running larger operations. "you see no need for publishing a dns!"??
The DNS that I publish (with the ISA to keep it slighty safer) is NOT the same as my internal production DNS!
My production DNSs are all safely tucked away on internal, double protected, networks. HOWEVER, to have a presence on the Internet there must be a way for people to located your webs, ftps and such... not to mention MX-records!
This can either be outsorced to some other company like Yahoo or such but if you're not in the states (there is actually quite a few countries outside of the US) you might not want (or be allowed) to give that kind of power over your operations to someone outside of your control.
The normal way to do this is then to establish a DMZ, place your publicly available resources there and publish them through the a firewall. This does NOT imply that I publish my whole internal DNS! You can actually create a separate DNS structure even with Microsofts products!
Just giving the "world" the name/address of the ISA does not work if you are publishing several webs (identified by hostheader), ftps and such
So, is there anyone here that is actually USING the ISA in a larger operation (with personally operated DNSs) or are all ISA implementations smaller "fly by night" operations?
We have not managed to get a good reference installation recommended to us by MS here in Europe!
Jorgen says 'So, is there anyone here that is actually USING the ISA in a larger operation (with personally operated DNSs) or are all ISA implementations smaller "fly by night" operations? '
Is this big enough? I am the network admin for a province-wide organization here in Alberta, Canada. We host 4 different multi-server (ie: NLB'd) websites each hooked to a SQL backend, each with a different name. We have over 2000 client systems, and we have over 50 servers in various locations. We use a combination of Cisco PIX's and multiple ISA servers to setup VPN's between each LAN using L2TP to secure the connections. Our public DNS servers are indeed published behind three of these ISA servers. Please don't make snap judgements of others based on a couple of words typed on a website messageboard.....
As for the original question posted by One2Look4 concerning setting up a published DNS server, I wanted to make sure that he wasn't going to publish his _private_ DNS server. This is a common mistake made by _alot_ of people, and I thought I'd be nice and advise him so he didn't become one of the masses that think this is standard practise. I apologize if I offended you with some of my comments in some of the earlier posts.
One2Look4: I'm not sure what a router has to do with the situation you have described above. Maybe if you could say why you think one is needed, it'd clear this up a little. SSL can't be used for any of this, because SSL is only used for WWW traffic (ie: setting up encryption for the securing of HTML traffic). A great book on DNS is "DNS and BIND" by Cricket Liu and Paul Albitz. I don't know what country you're in but, here in Canada, Chapters lists the book (chapters.ca).
Bruce Ferris said it very well and no, he didnt offend me. I am an american living in Puerto Vallarta Mexico . My scenario is very similar to his, I am running an public DNS internally, I am not forwarding my internal zone to external sources. I have an internal and an external zone, both seperate. The reason for a multiport router is to connect a primary and secondary dns servers externally and also to ISA. This way External DNS stays external, ie;less traffic going through firewall,right? Now back to my Original Question about NSLOOKUP going through ISA? The DNS server is an S-nat. client.
Sorry that I offended you Bruce, it was NOT my meaning to do that.
Your operation are about par with mine with the exception that mine is a multinational service spanning (at the moment) 12 countries... we're mostly using privet leased VPN services though. It was skipsters comment I reacted to.
However the original problem is still there, the ISA server is somewhat unstable whemn it comes to DSN publishing!
I have a thread whit Tom "DNS conflicts with Site&Content rules??". Take a lok at that and take care to read his last post... do NOT mix other serrvices on your published DNSs. I am going to try and find two spare machines I can plug in and run to test this.
I do not think attributing any problem with publishing external/internal DNS via ISA is correct. We host our own DNS both external and Internal and we have not experienced any problem. All seems working well for us without any problem. I will not hesitate to recommend publishing DNS Servers via ISA.
I've found that in the environments that I could set up the "split-split" DNS that DNS publishing Rules never failed. I tested this out on our own network, were we host our own DNS server for about 12 domains. The DNS publishing rules have been rock solid since making the change. I'm wondering if some of the problems were related to our DNS servers perform recursion for the internal network clients. The new setups have the published DNS servers working as Advertisers only, and they do not perform recursion.
This seems to create a much more stable DNS publishing environment.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 General] >> Server Publishing >> DNS! Help! 
DNS! Help! - !["[Confused]"](/image/smiles/confused.gif "\"\"")
RE: DNS! Help! - 
RE: DNS! Help! - ![[Eek!]](/image/smiles/eek.gif)
If you need to delegate a subdomain, can you setup a VPN connection between the sub-domain server's network and the ISA server? If you do that, IP traffic would be encrypted (by either PPTP or L2TP depending on how you want to set it up), and you wouldn't need to worry about DNS publishing. The only drawback would be a little overhead on the traffic.![[Roll Eyes]](/image/smiles/rolleyes.gif)
RE: DNS! Help! - 
RE: DNS! Help! - ![[Wink]](/image/smiles/wink.gif)
![[Big Grin]](/image/smiles/biggrin.gif)
![[Cool]](/image/smiles/cool.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread