Internal DNS Server behind ISA Server

Posted on 2004-11-18
Last Modified: 2010-04-19
How do you configure an internal DNS server to resolve internal and external IP addresses when that server has no direct access to the Internet?


Server 1 - Windows 2003 Domain Controller

This is a Windows 2003 Server with AD integrated DNS that handles all name resolution for our internal network.  This server is the domain controller and has no direct connection to the Internet. All internet access for this server is handled by a Windows 2003 server running ISA 2000.

Network card
IP -

I set up forwarders to our ISP's DNS servers but I don't think this server can access them or the root DNS servers.


Server 2 - Windows 2003 w/ ISA 2000

This computer has ISA loaded and working, but only if I set the cards up in the following configuration and bind order.

Second Network card
IP - Public Address from ISP
DNS - ISP's DNS Server

First Network card
IP -

This computer can access the Internet and resolve internal and external names.  I'd like to change the bind order and remove the ISP DNS information from card 2, but I can't do that until I get our Internal DNS server to work properly.
Question by:mplattner
    LVL 23

    Expert Comment


    You would have to create a protocol rule that allows the Server1 to contact the outside world using DNS. To do this, first off all create "host set" ( not quite sure how it's called, not behind a ISA server now), this is a policy element. Then create a protocol allow rule that allows the server to access all locations using UDP port 53. This should do the trick..

    Although i would use the ISA server to do the DNS resolvance, because i guess your ISA is your proxy server and all machines are configured to use either a proxy server or the default gateway, it will always connect the ISA server when going to the internet. This way your internal DNS server's security will not be jeaperdized and it will not lose performance..

    Author Comment

    I added the publishing rules and the protocol rule on the ISA server, but the other Server 1 is still not working correctly.  It doesn't seem to be trying to use the ISA server at all for DNS forwarding.  It only uses the ISA server for Internet access.  For example, if I ping <external IP> from Server 1 it tries to send it through the default gateway on our internal network.  Opening Internet Explorer and browsing around works fine.

    Do you think it would be easier (and better) to move DNS to the ISA server?  What would be involved in moving the AD integrated DNS from Server 1 to the ISA server?
    LVL 23

    Expert Comment

    No, don't move the internal DNS server from the DC to ISA, just let the DC do internal DNS resolvance. But for external DNS resolvance (to internet for example) use the ISA server. Just let the external DNS servers be placed on the external interface of the ISA server..

    Author Comment

    Our ISA server is already able to resolve external names by using our ISP's DNS servers.  

    The problem is I'm forced to have DNS info on both network cards on the ISA server and I had to change the network adapter binding order.

    ISA Server Net Card 2
    IP - public address
    DNS - ISP DNS Servers  <-- used to resolve external names

    ISA Server Net Card 1
    IP -
    DNS - <-- seems to not even be used by the ISA server


    The ISA server only uses the ISP DNS and can only resolve external names.  I have to use WINS for internal name resolution.  

    I've been told that the best practice is to set ISA to point to the internal DNS server for the network, and then use forwarders on that DNS server to resolve external IP addresses.  I can't do that though since my internal DNS server doesn't seem to work properly (ie. isn't using root servers or forwarders) since it doesn't have a direct internet connection.
    LVL 5

    Assisted Solution

    Has Server 1 got a default route set that points to Server 2's LAN IP?

    C:\>route add -p mask

    If not it won't know where to route non-LAN packets.

    You can either set that or using a default gateway of on Server1's NIC Properties.

    Or, to be more secure just add persistent routes to the routing table of Server1 that tell it how to get to the ISP DNS servers, if these are set as forwarders for Server 1's DNS service.

    C:\>route add -p <ISP DNS Server 1 IP> mask
    C:\>route add -p <ISP DNS Server 2 IP> mask

    try doing a trace route from Server1 to see what it does when trying to reach those ISP DNS servers.
    LVL 23

    Accepted Solution

    Ok, then indeed, do what TJWorlds says and try to get a connection from server1  to the outside world by using a tracert (best is to first try on ip address and after that on DNS name).. Then you can check if you either have a routing problem or the ISA is not letting DNS packets through..

    Author Comment

    Thank you for the help everyone.  I needed to set the packet filter rules on the ISA server and add a static route on Server 1.  Everything seems to be working well now!

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Suggested Solutions

    The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
    This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now