• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DNS Server Not Accessable

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> DNS Server Not Accessable Page: [1]
Login
Message << Older Topic   Newer Topic >>
DNS Server Not Accessable - 13.Sep.2003 3:18:00 PM   
wfusco

 

Posts: 18
Joined: 13.Sep.2003
Status: offline
Hello,

I have a problem that I can not seem to fix. I have tried what seems everything. Here are the basics;

I have the ISA server at address x.x.1.1 (my gateway)
I have the public DNS server at x.x.1.9 (problem)
I have a public web server at x.x.1.9 (no problem)
I have my mail server at x.x.1.9 (no problem)

I have the dns server published in the server publishing section of ISA.
I have the web server published in the web server area.
I have the mail server published as well.

The mail and web server work fine.

The DNS server however is not accessible from the outside world. If you try to resolve a domain that is serviced by my dns server the query will fail. If anyone can assist me in determining just why, I would be forever grateful.

[ September 13, 2003, 03:26 PM: Message edited by: Wayne F ]
Post #: 1
RE: DNS Server Not Accessable - 13.Sep.2003 4:48:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Wayne,

check out http://support.microsoft.com/default.aspx?scid=kb;EN-US;810493 .

HTH,
Stefaan

(in reply to wfusco)
Post #: 2
RE: DNS Server Not Accessable - 13.Sep.2003 5:29:00 PM   
wfusco

 

Posts: 18
Joined: 13.Sep.2003
Status: offline
Hey Stefaan,

I am confised, this is what the link you sent me to is about,
=================================
Microsoft has released an Update Rollup Package for Microsoft ISA Server 2000 that corrects the problems that are described in the following Microsoft Knowledge Base articles:
810559 FIX: Slow Responses and Failures When You Use Server Publishing UDP Protocols

331068 FIX: ISA Firewall Causes Handle Leak in LSASS

813864 FIX: Site and Content Rules Do Not Filter Based on File Name Extensions

816828 "Permission Denied" Error Message When You Use Rlogin to Log On to a Server on the Internet
==================================

Is this correct? I dont see anything listed here concerning DNS. I have al teh latest patches installed that I know of..

Wayne

(in reply to wfusco)
Post #: 3
RE: DNS Server Not Accessable - 13.Sep.2003 7:42:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Wayne,

when you server publish a DNS server, the used mapped server protocols are UDP port 53 and TCP port 53. As far as I know ISA has problems with publishing any UDP protocol. Those problems and others are fixed by the Update Rollup Package.

HTH,
Stefaan

(in reply to wfusco)
Post #: 4
RE: DNS Server Not Accessable - 13.Sep.2003 7:55:00 PM   
wfusco

 

Posts: 18
Joined: 13.Sep.2003
Status: offline
Hey Stefaan,

I guess that I have to get that from Mircosoft themselfs. Do you know another source other than having to call them?

Wayne

(in reply to wfusco)
Post #: 5
RE: DNS Server Not Accessable - 13.Sep.2003 8:01:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Wayne,

yes, you need to call Microsoft Product Support Services (PSS). Because the MSKB applies to your problem, I think the support call should be for free.

HTH,
Stefaan

(in reply to wfusco)
Post #: 6
RE: DNS Server Not Accessable - 13.Sep.2003 8:12:00 PM   
wfusco

 

Posts: 18
Joined: 13.Sep.2003
Status: offline
Okay Then,

Well I am endless hold with microsoft support now...

Wayne

(in reply to wfusco)
Post #: 7
RE: DNS Server Not Accessable - 13.Sep.2003 9:42:00 PM   
wfusco

 

Posts: 18
Joined: 13.Sep.2003
Status: offline
Hey Stefaan,

Okay I got the patch from Microsoft. Applied it and I still have the same problem. Any Ideas?

Wayne

(in reply to wfusco)
Post #: 8
RE: DNS Server Not Accessable - 13.Sep.2003 10:54:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Wayne,

Hmm... let's try another approach! [Wink]

As said in one of my previous posts, when you server publish a DNS server, the mapped server protocols should be UDP port 53 and TCP port 53. So, did you create two publishing rules?

If that's the case, from an external host run the command 'telnet x.x.1.9 53'. The connection should succeed. Otherwise, check out that the DNS server is configured as a SecureNAT client only.

BTW --- if you give me the IP address, I can test it for you if you like.

HTH,
Stefaan

(in reply to wfusco)
Post #: 9
RE: DNS Server Not Accessable - 13.Sep.2003 11:38:00 PM   
wfusco

 

Posts: 18
Joined: 13.Sep.2003
Status: offline
Hey Stefaan,

I am not sure how to configure a Microsoft DNS server for SecureNAT. It is running on a W2K Adv Server. The address is 24.73.198.174

Thanks!

Wayne

(in reply to wfusco)
Post #: 10
RE: DNS Server Not Accessable - 14.Sep.2003 11:38:00 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Wayne,

if 24.73.198.174 is the IP address where you published the DNS server on, then I can connect to TCP port 53 without any problem. What DNS zone are you authorative for? Without that info it is rather hard to test DNS queries through UDP and TCP.

BTW --- can you access the DNS server directly from an internal host?

HTH,
Stefaan

(in reply to wfusco)
Post #: 11
RE: DNS Server Not Accessable - 14.Sep.2003 1:43:00 PM   
wfusco

 

Posts: 18
Joined: 13.Sep.2003
Status: offline
Good Morning Stefaan,

The domains that are hosted there are webwolf.com, dhs-alumni.com just to name a few.

This is what I get if I try to resolve the domains here,

==================================
> webwolf.com
Server: dobie.tiffway.com
Address: 10.1.1.9

Name: webwolf.com
Address: 24.73.198.174

> dhs-alumni.com
Server: dobie.tiffway.com
Address: 10.1.1.9

Name: dhs-alumni.com
Address: 24.73.198.174
=================================

Wayne

(in reply to wfusco)
Post #: 12
RE: DNS Server Not Accessable - 14.Sep.2003 10:43:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Wayne,

if I ask via the Internet root servers who is authoritative for the given domains, then I got the following answers:
code:
Header:
ID=53609, QR=Response, Opcode=QUERY, RCODE=NO ERROR
Authoritative Answer=Yes, Truncation=No
Recursion Desired=Yes, Recursion Available=No
QDCOUNT=1, ANCOUNT=4, NSCOUNT=2, ARCOUNT=0
Question:
Name=webwolf.com, QTYPE=ALL, QCLASS=1
Answer Section:
- Name=webwolf.com
Type=A, Class=1, TTL=7200 (2 Hours), RDLENGTH=4
IP Address=0.0.0.0
- Name=webwolf.com
Type=NS, Class=1, TTL=7200 (2 Hours), RDLENGTH=16
Name Server=ns12.zoneedit.com
- Name=webwolf.com
Type=NS, Class=1, TTL=7200 (2 Hours), RDLENGTH=7
Name Server=ns15.zoneedit.com
- Name=webwolf.com
Type=SOA, Class=1, TTL=7200 (2 Hours), RDLENGTH=33
Name Server=ns12.zoneedit.com, Mailbox=dnsadmin.zoneedit.com
Serial=1063422948
Refresh=14400 (4 Hours)
Retry=7200 (2 Hours)
Expire=950400 (11 Days)
Minimum TTL=7200 (2 Hours)
Authority Records Section:
- Name=webwolf.com
Type=NS, Class=1, TTL=7200 (2 Hours), RDLENGTH=2
Name Server=ns12.zoneedit.com
- Name=webwolf.com
Type=NS, Class=1, TTL=7200 (2 Hours), RDLENGTH=2
Name Server=ns15.zoneedit.com


Header:
ID=53432, QR=Response, Opcode=QUERY, RCODE=NO ERROR
Authoritative Answer=Yes, Truncation=No
Recursion Desired=Yes, Recursion Available=No
QDCOUNT=1, ANCOUNT=5, NSCOUNT=2, ARCOUNT=0
Question:
Name=dhs-alumni.com, QTYPE=ALL, QCLASS=1
Answer Section:
- Name=dhs-alumni.com
Type=A, Class=1, TTL=7200 (2 Hours), RDLENGTH=4
IP Address=24.73.198.174
- Name=dhs-alumni.com
Type=NS, Class=1, TTL=7200 (2 Hours), RDLENGTH=16
Name Server=ns12.zoneedit.com
- Name=dhs-alumni.com
Type=NS, Class=1, TTL=7200 (2 Hours), RDLENGTH=7
Name Server=ns19.zoneedit.com
- Name=dhs-alumni.com
Type=SOA, Class=1, TTL=7200 (2 Hours), RDLENGTH=33
Name Server=ns12.zoneedit.com, Mailbox=dnsadmin.zoneedit.com
Serial=1063026916
Refresh=14400 (4 Hours)
Retry=7200 (2 Hours)
Expire=950400 (11 Days)
Minimum TTL=7200 (2 Hours)
- Name=dhs-alumni.com
Type=MX, Class=1, TTL=7200 (2 Hours), RDLENGTH=17
Preference=0, Mail Exchange=mail.tiffway.com
Authority Records Section:
- Name=dhs-alumni.com
Type=NS, Class=1, TTL=7200 (2 Hours), RDLENGTH=2
Name Server=ns12.zoneedit.com
- Name=dhs-alumni.com
Type=NS, Class=1, TTL=7200 (2 Hours), RDLENGTH=2
Name Server=ns19.zoneedit.com

So, your nameserver seems *not* to be registered to be authorative for those domains. Moreover, for the FQDN webwolf.com I get an IP address 0.0.0.0. That doesn't looks good! The FQDN dhs-alumni.com resolves to the IP address 24.73.198.174 and that seems to be correct.

Now, if I ask the same questions directly to your published DNS server 24.73.198.174 I get the following answers when it is done through the TCP protocol:
code:
Header:
ID=53748, QR=Response, Opcode=QUERY, RCODE=NO ERROR
Authoritative Answer=Yes, Truncation=No
Recursion Desired=Yes, Recursion Available=Yes
QDCOUNT=1, ANCOUNT=4, NSCOUNT=0, ARCOUNT=2
Question:
Name=webwolf.com, QTYPE=ALL, QCLASS=1
Answer Section:
- Name=webwolf.com
Type=A, Class=1, TTL=3600 (1 Hour), RDLENGTH=4
IP Address=24.73.198.174
- Name=webwolf.com
Type=NS, Class=1, TTL=3600 (1 Hour), RDLENGTH=14
Name Server=dns.tiffway.com
- Name=webwolf.com
Type=SOA, Class=1, TTL=3600 (1 Hour), RDLENGTH=36
Name Server=dobie.tiffway.com, Mailbox=admin.tiffway.com
Serial=23
Refresh=900 (15 Minutes)
Retry=600 (10 Minutes)
Expire=86400 (1 Day)
Minimum TTL=3600 (1 Hour)
- Name=webwolf.com
Type=MX, Class=1, TTL=3600 (1 Hour), RDLENGTH=9
Preference=10, Mail Exchange=mail.tiffway.com
Additional Records Section:
- Name=dns.tiffway.com
Type=A, Class=1, TTL=3600 (1 Hour), RDLENGTH=4
IP Address=24.73.198.174
- Name=mail.tiffway.com
Type=A, Class=1, TTL=3600 (1 Hour), RDLENGTH=4
IP Address=24.73.198.174


Header:
ID=54119, QR=Response, Opcode=QUERY, RCODE=NO ERROR
Authoritative Answer=Yes, Truncation=No
Recursion Desired=Yes, Recursion Available=Yes
QDCOUNT=1, ANCOUNT=4, NSCOUNT=0, ARCOUNT=2
Question:
Name=dhs-alumni.com, QTYPE=ALL, QCLASS=1
Answer Section:
- Name=dhs-alumni.com
Type=A, Class=1, TTL=3600 (1 Hour), RDLENGTH=4
IP Address=24.73.198.174
- Name=dhs-alumni.com
Type=NS, Class=1, TTL=3600 (1 Hour), RDLENGTH=14
Name Server=dns.tiffway.com
- Name=dhs-alumni.com
Type=SOA, Class=1, TTL=3600 (1 Hour), RDLENGTH=36
Name Server=dobie.tiffway.com, Mailbox=admin.tiffway.com
Serial=36
Refresh=900 (15 Minutes)
Retry=600 (10 Minutes)
Expire=86400 (1 Day)
Minimum TTL=3600 (1 Hour)
- Name=dhs-alumni.com
Type=MX, Class=1, TTL=3600 (1 Hour), RDLENGTH=9
Preference=10, Mail Exchange=mail.tiffway.com
Additional Records Section:
- Name=dns.tiffway.com
Type=A, Class=1, TTL=3600 (1 Hour), RDLENGTH=4
IP Address=24.73.198.174
- Name=mail.tiffway.com
Type=A, Class=1, TTL=3600 (1 Hour), RDLENGTH=4
IP Address=24.73.198.174

When I try the same through the UDP protocol, then I get no answers at all!

Because everythings works through the TCP protocol your DNS server seems to be correctly configured as a SecureNAT client. What have you used as mapped server protocol in your DNS publishing rules? What is the Firewall and IP packet filter log telling you?

HTH,
Stefaan

(in reply to wfusco)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> DNS Server Not Accessable Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts