Solved

DNS ISSUES ON ISA2004

Posted on 2009-05-19
10
225 Views
Last Modified: 2012-05-07
I got a problem with a client of myne where clients can't use internet explorer to view certian website including www.microsoft.com, use firefox and it works. When I check the dns on my ISA server I get the following result:

C:\Documents and Settings\Administrator.DSBAD>ping www.microsoft.com
Ping request could not find host www.microsoft.com. Please check the name and tr
y again.

C:\Documents and Settings\Administrator.DSBAD>nslookup
Default Server:  rndf-ip-dns-4.saix.net
Address:  196.43.42.190

> www.microsoft.com
Server:  rndf-ip-dns-4.saix.net
Address:  196.43.42.190

Non-authoritative answer:
Name:    lb1.www.ms.akadns.net
Addresses:  65.55.21.250, 65.55.12.249
Aliases:  www.microsoft.com, toggle.www.ms.akadns.net
          g.www.ms.akadns.net

>


Any ideas?
0
Comment
Question by:technolutions
  • 6
  • 4
10 Comments
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 24422861
Are your clients SNAT Clients or they are using ISA2004 as a proxy server.
This would decide whether the clients are themselves trying to resolve names or letting ISA to do the name resolution.
0
 

Author Comment

by:technolutions
ID: 24424294
They are using ISA as their proxy server.
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 24424637
Well, then try resolving these names frmo ISA. Is ISA pointing to local DNS for Name Resolution or ISP? Have you tried replacing the ISP DNS with 4.2.2.2 to see if that helps etc.
0
 

Author Comment

by:technolutions
ID: 24424981
That cmd dump is from the ISA server, i tried putting in multiple other DNS servers without any luck. I really don't understand this, when I ping www.microsoft.com it doesnt come back with an IP but when I do a NSLOOKUP it does?
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 24425544
Can you give me the IPconfig/all of your ISA Server. Remove the extra information. Keep the internal information.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:technolutions
ID: 24428786
Windows IP Configuration

   Host Name . . . . . . . . . . . . : ******
   Primary Dns Suffix  . . . . . . . : dsbad.local
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : dsbad.local

Ethernet adapter External:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : D-Link DGE-528T Gigabit Ethernet Adapter
   Physical Address. . . . . . . . . : 00-1E-58-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 196.15.***.***
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   IP Address. . . . . . . . . . . . : 196.15.***.***
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   IP Address. . . . . . . . . . . . : 196.15.***.***
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   IP Address. . . . . . . . . . . . : 196.15.***.***
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : 196.15.***.***
   DNS Servers . . . . . . . . . . . : 196.43.42.190
                                       196.43.34.190

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network Connec
tion
   Physical Address. . . . . . . . . : 00-1C-C0-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.0.0.6
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.0.8


10.0.0.8 is our internal DNS server
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 24431396
Do you have a rule which allows the Local Host to go out and connect to the Internet.
Looking at the initial comment, it seems ISA can GO out. At the NSLookup, type Server 10.0.0.8 and then type Microsoft.com

Is your Internal Server able to resolve DNS names?

Also, have you allowed only HTTP and FTP frmo inside out or all protocols. Atleast add DNS for the Domain Controller so that it can send DNS Queries out.
Also, go into NCPA.CPL and then Advance Properties. Try and switch the NIC Order. Add 4.2.2.2 as a Additional Server in the ISA. Add it in Internal DNS Forwarders as well.
0
 

Author Comment

by:technolutions
ID: 24431658
When I do the NSLOOKUP it times out as well. I double checked my rules and DNS is definitly allowed. I added 4.2.2.2 and played with the order but still no change.
0
 
LVL 12

Accepted Solution

by:
Amit Bhatnagar earned 500 total points
ID: 24431709
Which meand your internal DNS Server is NOT able to go out. Whatever Internet that you are getting, is through the proxy. I think, if we resolve this..we should be able to fix this issue. Is your internal DNS Server pointing to the ISA for the Default Gateway. Do you have any otherfirewall besides ISA in your network? What are you using in your DNS...Forwarders or Roothints to resolve the names..
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 24451038
Thanks for accepting the answer. Can you please share the solution as well in case it got resolved so that others can benefit from it..:)

Regards,
Amit Bhatnagar.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team. In brief, Scavenging is used as follows: Each record in a zone which has been dynamically registered with an MS DNS Server will have…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now