which ports do I open up in isa server for external DNS name servers

Posted on 2006-06-08
Last Modified: 2010-05-18
I have sbs 2003 with isa installed on it....... I am doing my own name server work on the same machine.......... I have done it before with regular server... I have my dns and forwarding zones correct, but it does not work with dnsreport............ I know it's an ISA Server issue..

which ports do I need to open up inorder for everything to work

domain is


Mark Williams
Question by:kooleecoyote
    LVL 13

    Assisted Solution

    Port 53/UDP for DNS.

    Open it from External to Internal/Localhost and other way round as well.

    Author Comment

    still not working
    LVL 13

    Expert Comment

    Your SBS has two network cards in it.

    One would have Public IP and second will have private.

    Is your Public IP External NIC).

    Check in DNS properties, if its listening on both interfaces and not just on internal.


    Author Comment

    OK...l I did that also...
    On the dns reports is says this:  
    Your NS records at your nameservers are:

    [None of your nameservers returned your NS records; they could be down
     or unreachable, or could all be lame nameservers

    this is info

    then a warning:

    WARNING: At least one of your nameservers did not return your NS records (it reported 0 answers). This could be because of a referral, if you have a lame nameserver (which would need to be fixed). returns 0 answers (may be a referral) returns 0 answers (may be a referral)

    then a few lines down.... a failure..

    ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:

    this has to be ISA SERVER.... I should have gotten all this working before I installed it
    LVL 26

    Assisted Solution

    by:Leon Fester
    Use the monitoring tool in ISA to see what it is blocking.

    Enable the monitor to display realtime results and then try to update your DNS server manually.

    You should then be able to see what ISA is blocking and what rule is being applied.

    Access the monitoring tool by.
    Selecting "Monitoring"
    Select the "Logging" Tab
    Set the query for:
    Log Record Type: Firewall and Web Proxy Filter
    Log Time: Live

    Click "Start Query"

    This way you will know if the correct ports are open, and if not, open them accordingly.
    LVL 11

    Expert Comment

    53 UDP is for regular DNS requests.

    However some systems do resort to using 53 TCP and as well 53 TCP is utilized for Zone Transfers
    LVL 7

    Expert Comment


    I am assuming it is an ISA sever 2004.

    Create a Rule on the ISA server, From External and Localhost to External and Localhost allow DNS(UDP 53).

    LVL 51

    Expert Comment

    use a sniffer (like ethereal) to check which ports and protocols your DNS uses (reading the docs or using the nice click&go GUI would be another method:)
    Following requirements could be there:
       - port 53 UDP, both directions
       - TCP port 53 in both directions
       - TCP destination port 53 with any local port
       - any combination of the above
    If you don't know, open UDP port 53 in both directions *and* TCP port 53 in both directions *and* TCP destination port 53 from any local port in both directions.
    LVL 1

    Expert Comment

    Also look at your LAT, and make sure you only have the default GW on the Public NIC only.
    LVL 25

    Accepted Solution

    You have to allow the protocol incoming and outgoing first...

    Then create an outgoing traffic rule.

    It's a two step process...

    Simply enabling 53 won't do it in ISA.


    Author Comment

    I actually had my registrar do my DNS.. but still had problems doing other things with ISA intalled. decided to uninstall it until I get everyting workikng first.. then I'll try to put it on again after my vacation   ( heading down to the storm in Florida).....   Thanks for your input and I will surely be asking more questions after I get it installed again.


    Featured Post

    Live: Real-Time Solutions, Start Here

    Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

    Join & Write a Comment

    Email attacks are the most efficient and effective way for cyber criminals and hackers to compromise a computer or network. We often find our-self second guessing the authenticity of an email message, for such instances we can follow practical princ…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now