Recommended DNS setup for an ISA/Forefront TMG server

I have a Forefront 2010 server in place as a web proxy server. Every few weeks, I notice that our web monitoring server reports false alarms and outages.The 'outages' last for about a minute, then return to normal.
Usually this is resolved by restarting the ISA server, or moving around the DNS server preference order.
My question is this: What is the recommended/best practice DNS setup. THe ISA/Forefront has a LAN and a WAN nic. Currently, I have the LAN nic set to use the internal DCs for DNS and also the ISP DNS servers as a lower priority. The WAN nic uses our ISP DNS servers.

I have read in some docs that it is better to install DNS on the ISA server and let it handle DNS itself, instead of the internal DNS servers doing it?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChrisLead Infrastructure ArchitectCommented:
the recommended setup for TMG where you have two nics one internal and one external is that the external NIC has a default gateway and no DNS and the internal NIC has no gateway and internal DNS and you make sure your internal DNS works fine.

you would then put static routes back to the internal networks. I wouldn't install a DNS server on your ISA server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sherryfitzgroupAuthor Commented:
Thanks for your input. I already have the LAN nic with no gateway.
If I change the WAN nic to have no DNS and just a gateway (in this case a Cisco ASA), where do the DNS requests go from it?
Does it just use the DNS servers of the ASA?
ChrisLead Infrastructure ArchitectCommented:
No it will use internal DNS to resolve the address the then route according to the routing table.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Keith AlabasterEnterprise ArchitectCommented:

The ISA will look to the internal DNS server, same as the internal clients will.
The internal DNS servers use the lookups of your ISP set within the DC dns manager.
Keith AlabasterEnterprise ArchitectCommented:
just make sure you have an access rule allowing DNS from localhost to internal.
sherryfitzgroupAuthor Commented:
great thanks-hopefully it will stop the 'outages' reported by our monitoring server
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.