[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 732
  • Last Modified:

ISA 2006 blocking nslookup ls -d domain.com

I have a wierd problem.  I've allowed zone transfers from our primary DNS server to some specific IPs.  On of those IPs is a secondary DNS server that I control and is nat'd behind the same IP as my computer.  Zone transfers to this secondary DNS server are working fine and transfers are being requested from that server by the external IP of the primary dns server.  However when I do a nslookup to that same external IP and then "ls -d oneofourdomains.com" I get a strage response (see attached image).  If I do the same nslookup command to the servers interal IP (meaning I've taken the ISA firewall out of the equation) it works as it should (I see all zones).  I've tried disabling the dns filter but that didn't work.  Any thoughts?
nslookup.jpg
0
b_levitt
Asked:
b_levitt
  • 2
1 Solution
 
b_levittAuthor Commented:
Ok more to add.  It appears this is getting dropped because of :
FWX_E_TCP_NOT_SYN_PACKET_DROPPED

No rule is shown so I'm still thinking this is a filter problem.
0
 
b_levittAuthor Commented:
OK, I fixed it.  Other symtoms were 0x80074e24 FWX_E_CONNECTION_KILLED in the log.

In ISA Manager:
Configuration --> General -->
Enable Intrusion Detection and DNS Attach Detection -->
DNS Attacks Tab

I unchecked both "DNS host name overflow" and "DNS length overflow" (make sure  you wait a few seconds after applying this before trying again).  This makes some sense since this was a large domain, but I have no idea why this filter is being applied to OUTBOUND traffic.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now