• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 625
  • Last Modified:

Internal DNS Server behind ISA Server

How do you configure an internal DNS server to resolve internal and external IP addresses when that server has no direct access to the Internet?

--------

Server 1 - Windows 2003 Domain Controller

This is a Windows 2003 Server with AD integrated DNS that handles all name resolution for our internal network.  This server is the domain controller and has no direct connection to the Internet. All internet access for this server is handled by a Windows 2003 server running ISA 2000.

Network card
IP - 10.0.0.2
DNS - 10.0.0.2

I set up forwarders to our ISP's DNS servers but I don't think this server can access them or the root DNS servers.

--------

Server 2 - Windows 2003 w/ ISA 2000

This computer has ISA loaded and working, but only if I set the cards up in the following configuration and bind order.

Second Network card
IP - Public Address from ISP
DNS - ISP's DNS Server

First Network card
IP - 10.0.0.18
DNS - 10.0.0.2

This computer can access the Internet and resolve internal and external names.  I'd like to change the bind order and remove the ISP DNS information from card 2, but I can't do that until I get our Internal DNS server to work properly.
0
mplattner
Asked:
mplattner
  • 3
  • 3
2 Solutions
 
rhandelsCommented:
Hi,

You would have to create a protocol rule that allows the Server1 to contact the outside world using DNS. To do this, first off all create "host set" ( not quite sure how it's called, not behind a ISA server now), this is a policy element. Then create a protocol allow rule that allows the server to access all locations using UDP port 53. This should do the trick..

Although i would use the ISA server to do the DNS resolvance, because i guess your ISA is your proxy server and all machines are configured to use either a proxy server or the default gateway, it will always connect the ISA server when going to the internet. This way your internal DNS server's security will not be jeaperdized and it will not lose performance..
0
 
mplattnerAuthor Commented:
I added the publishing rules and the protocol rule on the ISA server, but the other Server 1 is still not working correctly.  It doesn't seem to be trying to use the ISA server at all for DNS forwarding.  It only uses the ISA server for Internet access.  For example, if I ping <external IP> from Server 1 it tries to send it through the default gateway on our internal network.  Opening Internet Explorer and browsing around works fine.

Do you think it would be easier (and better) to move DNS to the ISA server?  What would be involved in moving the AD integrated DNS from Server 1 to the ISA server?
0
 
rhandelsCommented:
No, don't move the internal DNS server from the DC to ISA, just let the DC do internal DNS resolvance. But for external DNS resolvance (to internet for example) use the ISA server. Just let the external DNS servers be placed on the external interface of the ISA server..
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
mplattnerAuthor Commented:
Our ISA server is already able to resolve external names by using our ISP's DNS servers.  

The problem is I'm forced to have DNS info on both network cards on the ISA server and I had to change the network adapter binding order.

ISA Server Net Card 2
IP - public address
DNS - ISP DNS Servers  <-- used to resolve external names

ISA Server Net Card 1
IP - 10.0.0.18
DNS - 10.0.0.2 <-- seems to not even be used by the ISA server

----------

The ISA server only uses the ISP DNS and can only resolve external names.  I have to use WINS for internal name resolution.  

I've been told that the best practice is to set ISA to point to the internal DNS server for the network, and then use forwarders on that DNS server to resolve external IP addresses.  I can't do that though since my internal DNS server doesn't seem to work properly (ie. isn't using root servers or forwarders) since it doesn't have a direct internet connection.
0
 
TJworldCommented:
Has Server 1 got a default route set that points to Server 2's LAN IP?

C:\>route add -p 0.0.0.0 mask 0.0.0.0 10.0.0.18

If not it won't know where to route non-LAN packets.

You can either set that or using a default gateway of 10.0.0.18 on Server1's NIC Properties.

Or, to be more secure just add persistent routes to the routing table of Server1 that tell it how to get to the ISP DNS servers, if these are set as forwarders for Server 1's DNS service.

C:\>route add -p <ISP DNS Server 1 IP> mask 255.255.255.255 10.0.0.18
C:\>route add -p <ISP DNS Server 2 IP> mask 255.255.255.255 10.0.0.18

try doing a trace route from Server1 to see what it does when trying to reach those ISP DNS servers.
0
 
rhandelsCommented:
Ok, then indeed, do what TJWorlds says and try to get a connection from server1  to the outside world by using a tracert (best is to first try on ip address and after that on DNS name).. Then you can check if you either have a routing problem or the ISA is not letting DNS packets through..
0
 
mplattnerAuthor Commented:
Thank you for the help everyone.  I needed to set the packet filter rules on the ISA server and add a static route on Server 1.  Everything seems to be working well now!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now