Re: DNS timeouts?
From: Herb Martin (news_at_LearnQuick.com)
Date: 02/07/05
- Next message: Herb Martin: "Re: DNS timeouts?"
- Previous message: Herb Martin: "Re: DNS timeouts?"
- In reply to: Mark Renoden [MSFT]: "Re: DNS timeouts?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 7 Feb 2005 15:50:17 -0600
"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:#iuwWoVDFHA.3324@TK2MSFTNGP15.phx.gbl...
> Hi Ted
>
> I normally just have my internal DNS server forward directly to the ISP.
On
> the ISA Server, I point the internal NIC to the internal DNS server and
> don't bother setting a DNS server on the external NIC.
This is problematic if the ISA machine is a DOMAIN
machine (which is must be for AD integration).
In that case, not only should the internal NIC be set to
use the internal DNS -- it is now an INTERNAL client and
needs this -- but the EXTERNAL NIC must be set that
way also.
Frequently the external NIC is DHCP assigned which complicates
this, but if you type in a DNS Server setting on the ISA CLIENT
NIC it will override the one from the ISP.
Then you place the ISP in the ISA server setting for DNS or
you run a REAL DNS server (caching only, no zones needed)
on that machine.
> In this way, all
> requests go via the internal DNS server and then get forwarded to the ISP
> for external resolution.
That works (technically) but means that internal DNS servers
which are frequently DCs must pass the firewall which not
only complicates firewall definitions but is a security risk.
Sensitive internal machines should not generally visit the
internet.
> What was your motivation for caching on the ISA server?
Perhaps he read the Microsoft sale literature on the product.
<GRIN>
-- Herb Martin > > Kind regards > -- > Mark Renoden [MSFT] > Windows Platform Support Team > Email: markreno@online.microsoft.com > > Please note you'll need to strip ".online" from my email address to email > me; I'll post a response back to the group. > > This posting is provided "AS IS" with no warranties, and confers no rights. > > "Ted" <Ted@discussions.microsoft.com> wrote in message > news:85084BCC-81E0-4C24-B4A7-18786065DC6C@microsoft.com... > >I have ISA 2004 working perfectly except that occasionally the client will > > get a message back that the Gateway could not find an authoritative DNS > > server for the domain.... > > > > The client is querying an internal DNS and then it forwards to the cahcing > > server on ISA. everything is local to the client so the speed should be > > there....I was thinking of increasing the DNS server forwarder timeout but > > it > > is currently set to 5 seconds which should be enough?? > > > > When I dont use ISA, the response is pretty fast so I'm not sure if this > > is > > the right move. > > > > Any ideas? > >
- Next message: Herb Martin: "Re: DNS timeouts?"
- Previous message: Herb Martin: "Re: DNS timeouts?"
- In reply to: Mark Renoden [MSFT]: "Re: DNS timeouts?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
