Comments on: DNS Best Practices http://blogs.isaserver.org/shinder/2006/10/19/dns-best-practices/ Written by Dr Thomas W Shinder, consultant to Microsoft, HP and many Fortune 500 companies on ISA firewall and Web proxy deployments this blog is where administrators get information about ISA Server Universal Threat Management firewalls. Topics include how to manage, deploy, and troubleshoot ISA Server as a network firewall, Web proxy/Web cache, remote access VPN server and VPN gateway to provide a high level of network security for all corporate computers. Fri, 5 Sep 2008 23:02:37 +0000 http://wordpress.org/?v=MU by: Andrew http://blogs.isaserver.org/shinder/2006/10/19/dns-best-practices/#comment-15012 Fri, 20 Oct 2006 10:16:29 +0000 http://blogs.isaserver.org/shinder/2006/10/19/dns-best-practices/#comment-15012 Hey, Tom and Tim ;) Being in no way an expert in ISA and/or DNS I'd ask both of you for some clarification rather than I'd disagree and argue with you. After the necessary disclaimer, here we go: 1. -- quote start -- "That’s why I always configure my AD DNS with a root (.) zone- that way, only local zones may be queried by the client’s stack. I typically only use web proxy clients for HTTP(S)/FTP where all DNS is proxied by the ISA box. If one needs direct DNS for another application (say DOS FTP) then use the FWC and all DNS will be resolved over the control channel, still being proxied by the ISA server. The ISA server itself will have whatever “public” DNS server configured in its stack so that it can do the resolution for the clients." -- quote end -- I was confident that ISA server itself needs to properly resolve internal host names as well. So how do you configure your ISA box with DNS servers addresses? Do you supply internal DNS server address on the internal ISA interface and external DNS server address on the external ISA interface? Or maybe you put both the addresses on single (for example, external) interface? Anyway, you should experience intermittent browsing delays and timeouts because Windows' TCP/IP stack on ISA server box will need to constantly switch between external and internal DNS server address, whether it have need to resolve external or internal host name. What is the trick? 2. -- quote start -- "Not only is direct client DNS “dangerous,” but having an AD box set up as a forwarder is “dangerous” as well as the box must be configured to access a remote resource over TCP/UDP 53. This also means that you’ve opened that box up for incoming traffic on TCP/UDP 53 as well." -- quote end -- Since when a properly configured ISA outbound access rule allows also an *inbound* access in backward direction? Never heard about that before. The rest of the of the discussion is based on the assumption that, roughly said, "forwarders are bad", so please, elaborate a bit on this. Maybe I missed something important in your explanation? Thanks in advance for your comments! Hey, Tom and Tim ;)

Being in no way an expert in ISA and/or DNS I’d ask both of you for some clarification rather than I’d disagree and argue with you.

After the necessary disclaimer, here we go:

1. — quote start –
“That’s why I always configure my AD DNS with a root (.) zone- that way, only local zones may be queried by the client’s stack. I typically only use web proxy clients for HTTP(S)/FTP where all DNS is proxied by the ISA box. If one needs direct DNS for another application (say DOS FTP) then use the FWC and all DNS will be resolved over the control channel, still being proxied by the ISA server.

The ISA server itself will have whatever “public” DNS server configured in its stack so that it can do the resolution for the clients.”
– quote end –

I was confident that ISA server itself needs to properly resolve internal host names as well. So how do you configure your ISA box with DNS servers addresses?

Do you supply internal DNS server address on the internal ISA interface and external DNS server address on the external ISA interface? Or maybe you put both the addresses on single (for example, external) interface?

Anyway, you should experience intermittent browsing delays and timeouts because Windows’ TCP/IP stack on ISA server box will need to constantly switch between external and internal DNS server address, whether it have need to resolve external or internal host name.

What is the trick?

2. — quote start –
“Not only is direct client DNS “dangerous,” but having an AD box set up as a forwarder is “dangerous” as well as the box must be configured to access a remote resource over TCP/UDP 53. This also means that you’ve opened that box up for incoming traffic on TCP/UDP 53 as well.”
– quote end –

Since when a properly configured ISA outbound access rule allows also an *inbound* access in backward direction? Never heard about that before.

The rest of the of the discussion is based on the assumption that, roughly said, “forwarders are bad”, so please, elaborate a bit on this. Maybe I missed something important in your explanation?

Thanks in advance for your comments!

]]>