Go Premium for a chance to win a PS4. Enter to Win


isa 2006 - dns publishing rule query

Posted on 2012-04-10
Medium Priority
Last Modified: 2012-04-14
hi i have successfully configured my win 2003 dc which gets its internet access via my win 2003/isa 2006 standard 2 nic member server.

i have successfully configured 'dns server' publishing as per my instructions from 'url':

- http://support.microsoft.com/kb/837833

i realise the below instructions would not work from an 'internet cafe' as i would not be allowed to change their ip addressing scheme and their machines would not be recognised on my network!!!!

if i was a vpn user this scenario below would not fit although i could allocate a static address, but as my network is on a domain & isa2006/vpn/windows group configuration i would not be able to 'browse' to my laptop as it would not be on my 'master dc/dns' although yes 'dhcp' does allocate my vpn an address either dynamically or a static address!!

question 1.
so can anyone advise in what scenario im missing to fit with the below instructions ?
1.Click the Firewall Policy tab, right-click the new server publishing rule that you created, and then click Properties.
2.Click the From tab, click Anywhere, click Remove, and then click Add.
3.In the Network entities dialog box, click New, and then click Computer.
4.In the Name box, type a descriptive name for the new computer rule element, type the computer's IP address in the Computer IP Address box, and then click OK.
5.Expand Computers, click the new computer element that you created, click Add, and then click Close.
6.Click OK.
7.Click Apply to save your changes and to update the firewall policy, and then click OK
Question by:mikey250
  • 5
  • 3

Expert Comment

ID: 37831530
Can i check.

I am unsure from your question, Are you planning on publishing your internal DNS server to the internet? Assuming this is the case, you know this is a bad idea don't you?

If it is just for your VPN clients they will use your DNS server as soon as they are logged in.

Again, i may have misunderstood your question....

Author Comment

ID: 37831849
hi apologies for confusion!!!:)

test 1: visited a remote friends house and used their internet by connecting my laptop/vpn successfully and accessing and saving & copying files!

test 2: as a temporary measure used my laptop/vpn connected to my 3 mobile phone and accessed, saved and copied files successfully!

next task below:

why does isa 2006 offer below if not recommended as vpn is maybe preferred method uuuummmm ?

- 'dns server - publishing - configured but fails
- https server- publishing - not configured as need website i think

im sure i read yesturday that dns zone transfers could take place by a hacker if dns server/http server was used!!!!!

hence my main thread shows step 1 - 7 to allocate 'static address', but this would not be relevant for 'internet cafe' as they use their own ip address scheme.!!!!!!!!!!!!uuuuummmm

Accepted Solution

chris-burns earned 1332 total points
ID: 37831946

Just because ISA allows it does not mean it is a good idea. When i set my ISA up i did not even think about exposing my internal DNS servers.

"im sure i read yesturday that dns zone transfers could take place by a hacker if dns server/http server was used!!!!!" Very true, which is why i would not do this.

I ended up with a split brain DNS. Kept internal DNS internal and used Zoneedit or an external server for outside DNS.

I would suggest this is the path you follow. Just to be on the safe side.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.


Author Comment

ID: 37831974
hi chris, yes i had a browse of this 'url' yesturday but did not read it all:

- http://www.isaserver.org/tutorials/you_need_to_create_a_split_dns.html

i will put on my to do list!!!

question 1.
what companies would even do this then although you say avoid altogether ?
LVL 29

Assisted Solution

pwindell earned 668 total points
ID: 37832788
I want to second chris-burns' comment.

Publishing DNS?   You...just ...don't!

Chris is laying out the correct process.

question 1.
what companies would even do this then although you say avoid altogether ?

In all the years I have dealt with this, which is getting close to a decade and a half,...I am still waiting to find a company that really should do it,...I haven't met one yet.   A lot of companies do things that are not such a great idea,..even large companies.

A Company might have to have a DNS available to the public if they handle their own DNS Hosting for their own Public Namespace,...but,...one,..that's rare,...and two,... even then it would be a standalone DNS placed on the "outside" of their network,...it would not be their internal DNS.

Author Comment

ID: 37834153
ok i can accept what you say!!!!!!!!no problems!!:)

i just wish i knew why after configuring it in the firewall policy, why it isn't until the next day
publishing failure' shows but has repeat entries where it is automatically 're-sync'd itself and appears ok!

everytime i learn something i like to know that at least i can configure it rather than just chat about it!! thats all!!

the same with 'https server' aswell but i gather i need a website for that!! ?

then i can close this thread once and for all and get out of my ignorant phase!!:)(

Author Comment

ID: 37836873
hi chris & pwindell, ive just been going through my isa 2006 video course and my notes and found the following information regarding 'dns zone transfers.

in isa 2006 under the configuration/general option on the left hand side i selected under: 'additional security policy':

enable intrusion detection & dns attack detection and 2 tabs show:

- common attacks tab: self explanatory
- dns attacks tab: dns zone transfer - not ticked by default so 'zone transfers' could happen, but if 'ticked' 'dns zone transfer' would not be allowed according to the video verbal explaination!!!

so i assume from the above if i wanted public users or an external company that was not part of my network then other than using a 'vpn' i could then do this!!

can anyone advise ? :)

Assisted Solution

chris-burns earned 1332 total points
ID: 37837021
I think if you had a dedicated DNS server on your network that was not attached to your AD. And it's sole purpose was to provide outside resolution then this would apply.

But i get the impression this is not what you want to do. Based on your question above you appear to want to expose your AD DNS. Even without a zone transfer you are still exposing some potentially sensitive information. AD DNS holds a lot of information about the make up of your internal network

If i was running my own public DNS server on Microsoft OS i would certainly place the server behind an ISA box and use the protection mechanisms mentioned above. But i would certainly not allow my AD DNS to be seen by the outside world regardless of the protections offered.

The other thing is, your AD DNS should be resolving to your internal IP addresses. If you were to try and resolve them from outside the routing would not work. You would need to expose external ip addresses... then in that case your internal clients would be picking up an external address and would not route properly.

Whilst technically it is possible, I really don't know why you would.

If you don't want to have an external company provide DNS for you, then set up a second non-AD connected box in your DMZ with DNS installed then use the above protection mechanisms.


EDIT: I did type this quite quickly, so apologies  for any grammar or spelling mistakes

Author Comment

ID: 37837130
thanks for that!!

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question