isa 2006 - dns publishing rule query

hi i have successfully configured my win 2003 dc which gets its internet access via my win 2003/isa 2006 standard 2 nic member server.

i have successfully configured 'dns server' publishing as per my instructions from 'url':


i realise the below instructions would not work from an 'internet cafe' as i would not be allowed to change their ip addressing scheme and their machines would not be recognised on my network!!!!

if i was a vpn user this scenario below would not fit although i could allocate a static address, but as my network is on a domain & isa2006/vpn/windows group configuration i would not be able to 'browse' to my laptop as it would not be on my 'master dc/dns' although yes 'dhcp' does allocate my vpn an address either dynamically or a static address!!

question 1.
so can anyone advise in what scenario im missing to fit with the below instructions ?
1.Click the Firewall Policy tab, right-click the new server publishing rule that you created, and then click Properties.
2.Click the From tab, click Anywhere, click Remove, and then click Add.
3.In the Network entities dialog box, click New, and then click Computer.
4.In the Name box, type a descriptive name for the new computer rule element, type the computer's IP address in the Computer IP Address box, and then click OK.
5.Expand Computers, click the new computer element that you created, click Add, and then click Close.
6.Click OK.
7.Click Apply to save your changes and to update the firewall policy, and then click OK
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can i check.

I am unsure from your question, Are you planning on publishing your internal DNS server to the internet? Assuming this is the case, you know this is a bad idea don't you?

If it is just for your VPN clients they will use your DNS server as soon as they are logged in.

Again, i may have misunderstood your question....
mikey250Author Commented:
hi apologies for confusion!!!:)

test 1: visited a remote friends house and used their internet by connecting my laptop/vpn successfully and accessing and saving & copying files!

test 2: as a temporary measure used my laptop/vpn connected to my 3 mobile phone and accessed, saved and copied files successfully!

next task below:

why does isa 2006 offer below if not recommended as vpn is maybe preferred method uuuummmm ?

- 'dns server - publishing - configured but fails
- https server- publishing - not configured as need website i think

im sure i read yesturday that dns zone transfers could take place by a hacker if dns server/http server was used!!!!!

hence my main thread shows step 1 - 7 to allocate 'static address', but this would not be relevant for 'internet cafe' as they use their own ip address scheme.!!!!!!!!!!!!uuuuummmm

Just because ISA allows it does not mean it is a good idea. When i set my ISA up i did not even think about exposing my internal DNS servers.

"im sure i read yesturday that dns zone transfers could take place by a hacker if dns server/http server was used!!!!!" Very true, which is why i would not do this.

I ended up with a split brain DNS. Kept internal DNS internal and used Zoneedit or an external server for outside DNS.

I would suggest this is the path you follow. Just to be on the safe side.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

mikey250Author Commented:
hi chris, yes i had a browse of this 'url' yesturday but did not read it all:


i will put on my to do list!!!

question 1.
what companies would even do this then although you say avoid altogether ?
I want to second chris-burns' comment.

Publishing DNS?   You...just ...don't!

Chris is laying out the correct process.

question 1.
what companies would even do this then although you say avoid altogether ?

In all the years I have dealt with this, which is getting close to a decade and a half,...I am still waiting to find a company that really should do it,...I haven't met one yet.   A lot of companies do things that are not such a great idea,..even large companies.

A Company might have to have a DNS available to the public if they handle their own DNS Hosting for their own Public Namespace,...but,,..that's rare,...and two,... even then it would be a standalone DNS placed on the "outside" of their network, would not be their internal DNS.
mikey250Author Commented:
ok i can accept what you say!!!!!!!!no problems!!:)

i just wish i knew why after configuring it in the firewall policy, why it isn't until the next day
publishing failure' shows but has repeat entries where it is automatically 're-sync'd itself and appears ok!

everytime i learn something i like to know that at least i can configure it rather than just chat about it!! thats all!!

the same with 'https server' aswell but i gather i need a website for that!! ?

then i can close this thread once and for all and get out of my ignorant phase!!:)(
mikey250Author Commented:
hi chris & pwindell, ive just been going through my isa 2006 video course and my notes and found the following information regarding 'dns zone transfers.

in isa 2006 under the configuration/general option on the left hand side i selected under: 'additional security policy':

enable intrusion detection & dns attack detection and 2 tabs show:

- common attacks tab: self explanatory
- dns attacks tab: dns zone transfer - not ticked by default so 'zone transfers' could happen, but if 'ticked' 'dns zone transfer' would not be allowed according to the video verbal explaination!!!

so i assume from the above if i wanted public users or an external company that was not part of my network then other than using a 'vpn' i could then do this!!

can anyone advise ? :)
I think if you had a dedicated DNS server on your network that was not attached to your AD. And it's sole purpose was to provide outside resolution then this would apply.

But i get the impression this is not what you want to do. Based on your question above you appear to want to expose your AD DNS. Even without a zone transfer you are still exposing some potentially sensitive information. AD DNS holds a lot of information about the make up of your internal network

If i was running my own public DNS server on Microsoft OS i would certainly place the server behind an ISA box and use the protection mechanisms mentioned above. But i would certainly not allow my AD DNS to be seen by the outside world regardless of the protections offered.

The other thing is, your AD DNS should be resolving to your internal IP addresses. If you were to try and resolve them from outside the routing would not work. You would need to expose external ip addresses... then in that case your internal clients would be picking up an external address and would not route properly.

Whilst technically it is possible, I really don't know why you would.

If you don't want to have an external company provide DNS for you, then set up a second non-AD connected box in your DMZ with DNS installed then use the above protection mechanisms.


EDIT: I did type this quite quickly, so apologies  for any grammar or spelling mistakes
mikey250Author Commented:
thanks for that!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.