Common DNS Issues in VPN Networking

 

DNS issues comprise a major portion of connectivity problems related to ISA Server 2000 firewalls and VPN servers. ISA Server firewall/VPN servers and clients use DNS host name resolution to resolve both internal and external network names. While any discussion of DNS has the potential to become overly complex, there are some common DNS issues related to ISA Server firewall/VPN server clients that can be solved relatively easily.

 

We will discuss the following subjects in this ISA Server 2000 VPN Deployment Kit document:

 

  • VPN client DNS problems
  • VPN gateway DNS problems
  • Configuring an internal DNS server to resolve Internet DNS host names
  • Configuring a caching-only DNS server on the ISA Server firewall/VPN server
  • Configuring DNS settings on VPN and internal network clients

 

VPN Client DNS Problems

 

VPN client DNS name resolution issues include:

 

  • VPN clients unable to resolve internal network names
  • VPN clients unable to resolve Internet host names

 

VPN Clients Unable to Resolve Internal Network Names

 

Internal network names are computer and other device names on your internal network. VPN clients connect to the ISA Server firewall/VPN server with the goal of accessing resources on the internal network. VPN clients will not be able to access these resources using a DNS host name if the client cannot properly resolve that name to an IP address.

 

The following is a list of the most common internal network DNS name resolution problems and solutions encountered for VPN clients.

 

         VPN clients not assigned DNS server address

 

VPN clients will not be able to resolve DNS host names on the internal network if they are not assigned a DNS server address by the ISA Server firewall/VPN server. In most cases, the VPN client already has a DNS server address assigned to it. However, that DNS server address does not resolve names on the corporate network because that DNS server is intended to resolve names on the network the VPN client computer is attached to before connecting to the ISA firewall/VPN server, or to resolve only Internet host names.

 

The solution to this problem is to configure the ISA Server firewall/VPN server to assign a DNS server address to the VPN clients. ISA Server 2000 VPN Deployment Kit documents Configuring the DHCP Relay Agent to Support VPN Client TCP/IP Addressing Options and Configuring the Windows Server 2003 ISA Server 2000/VPN Server describe how to assign name server addresses of DNS server on the internal network that can resolve internal network DNS host names.

 

         VPN client assigned incorrect DNS server address

 

The VPN client that cannot resolve internal network names may have been assigned an incorrect DNS server address. Check the DNS server address assigned to the VPN client. If an incorrect address was assigned to the client, make the appropriate correction at either the DHCP server or the internal interface of the ISA Server firewall/VPN server.

 

         Split tunneling is enabled

 

Split tunneling is enabled when the VPN client is not required to use the VPN virtual PPP interface at its default gateway. This allows the VPN client to directly access both the Internet and the corporate network. It is possible that when the VPN client is not configured to use the default gateway on the remote network that name resolution will fail for internal network resources.

 

The solution to this problem is to disable split tunneling and force firewall policy on the VPN clients using the procedures described in ISA Server 2000 VPN Deployment Kit document Forcing Firewall Policy on VPN Clients.

 

         VPN client cannot resolve unqualified names

 

An unqualified DNS query is one where the query is for a computer name without the domain name. For example, the VPN client may wish to use the Web browser to access a Web server on the internal network. The user types in the URL http://SERVER1 and is unable to connect.

 

The DNS resolver software on the VPN client must be able to append a DNS suffix to the computer name before sending the name for resolution. If the resolver is unable to append a domain name, it will forward the unqualified request to the DNS server for resolution. Unless the DNS server is configured with a WINS referral zone that can resolve these kinds of unqualified requests, the name resolution attempt will fail and so will the connection.

 

*       Note:
Please refer to Configuring DNS client settings for more information on the Windows Server 2003 DNS resolver.

 

The VPN clients should be configured with a primary domain name that it can append to unqualified requests. There are several methods you can use to assigned a domain name to the VPN client:

 

 

*       Note:
Please refer to How to Configure a Domain Suffix Search List on the Domain Name System Clients for more information on how to configure a DNS suffix search list on VPN client adapters

 

         VPN client resolves internal network names to external addresses

 

Many organizations use the same domain name for internal and external network resources. For example, you may host a public DNS server named www.internal.net. The server is accessible from the Internet by connecting to its public IP address. Internal network clients can also connect to the same server by using the same name, www.internal.net. When a VPN client tries to connect to www.internal.net, it is unable to connect to the server by that name on the internal network, or it connects to the public server by the same name.

 

The problem is that the VPN client is trying to resolve internal network names using a public DNS server. This can happen when the VPN client is not assigned an internal network DNS server address, or assigned no DNS server address at all by the VPN server.

 

The solution to this problem is to confirm that the VPN clients are assigned a DNS server address that can resolve internal network names.

 

VPN Clients Unable to Resolve Internet Host Names

 

         VPN clients not assigned DNS server address

 

VPN clients depend on the ISA Server firewall to grant them access to the Internet when split tunneling is disabled, as described in ISA Server 2000 VPN Deployment Kit article Forcing Firewall Policy on VPN Clients. If VPN clients are granted access to the Internet via the ISA Server firewall, then the problem is related to the ISA Server firewall being unable to resolve Internet host names.

 

The solution is to configure the ISA Server firewall with a DNS server address that can resolve Internet DNS host names.

 

         VPN clients assigned incorrect DNS server address

 

VPN clients may be assigned an incorrect DNS server address. This could be due to typing in an incorrect DNS server address on the internal interface of the ISA Server firewall/VPN server, or from typing the incorrect address in the DHCP scope option. The solution is to confirm that a correct DNS server address is assigned to the VPN clients.

 

         VPN clients assigned to DNS server that cannot resolve Internet Host names

 

VPN clients may be assigned a valid DNS server address, but the DNS server is not correctly configured to resolve Internet host names. You may think the solution to this problem is to configure the VPN clients to use another DNS server or to correctly configure the internal DNS server to resolve Internet DNS host names, but this is not the case.

 

VPN clients with split tunneling disabled must used the ISA Server firewall to access the Internet and the ISA Server firewall must resolve Internet names on behalf of the VPN clients. The solution to this problem is to configure the ISA Server firewall/VPN server to use a DNS server that can resolve Internet host names.

 

*       Note:
The procedure for configuring an internal network DNS server to resolve Internet DNS host names is described later in this ISA Server 2000 VPN Deployment Kit document.

 

         ISA Server firewall/VPN Server configured with DNS server address that cannot resolve Internet host names

 

This is the core problem in all instances where the VPN clients that are configured as Web Proxy or Firewall clients. Both Web Proxy and Firewall clients allow the ISA Server firewall/VPN server to resolve Internet DNS host names on their behalf. Please refer to ISA Server 2000 VPN Deployment Kit article Forcing Firewall Policy on VPN Clients for detailed instructions on how to configure the VPN clients as Firewall and Web Proxy clients.

 

VPN Gateway DNS Problems

 

DNS host name resolution problems in a VPN gateway to gateway configuration center around similar problems that are encountered with VPN clients:

 

  • Local and Remote network hosts cannot resolve internal network names
  • Local and Remote network hosts cannot resolve Internet host names

 

Local and Remote Network Hosts Cannot Resolve Internal Network Names

 

The following is a list of the most common internal network name DNS resolution problems and solutions encountered in VPN gateway to gateway link environments:

 

         Network hosts are not configured with a DNS server address

 

Internet network hosts must be configured with a DNS server address that can resolve internal network names on both sides of the gateway to gateway VPN link. If hosts on the opposite side of the VPN gateway to gateway link belong to a different domain, then you will need to configure the internal network clients to use a DNS server that can resolve names for all internal network domains. You can use stub zones or zone delegation to accomplish this task depending on the specifics of your internal network environment.

 

*       Note:
Please refer to Delegate the DNS Zone for the Windows Server 2003 Domain for more information on how to perform zone delegations. Please refer to Support WebCast: Microsoft Windows Server 2003 DNS: Stub Zones and Conditional Forwarding for more information on Windows Server 2003 stub zone configuration.

 

         Network hosts configured with incorrect DNS server address

 

Internal network hosts may be configured with an incorrect DNS server address. Check that the address was typed in correctly and that the DNS server is able to resolve names for all internal network domains.

 

         Network hosts are not configured with a DNS server that can resolve internal network names

 

Internal network hosts may have been inadvertently been configured to use a DNS server that can only resolve Internet host names. This is most commonly seen the internal network is based on the SecureNAT client configuration and the SecureNAT clients are configured to use the ISPís DNS server for name resolution. The ISPís DNS server has no knowledge of the internal network domain and cannot resolve names on your internal network.

 

The solution is to configure internal network clients with a DNS server address that can resolve both internal and external network names.

 

Local and Remote Network Hosts Cannot Resolve Internet Host Names

 

The following is a list of the most common internal network name DNS resolution problems and solutions encountered in VPN gateway to gateway link environments:

 

         Network hosts not assigned a DNS server address

 

Not all internal network clients need to be assigned a DNS server address. If the internal network hosts are not a member of a Windows 2000 or Windows Server 2003 domain, computers configured as Web Proxy and/or Firewall clients can have the ISA Server firewall/VPN server resolve Internet DNS host names on behalf of these clients and therefore they do not need a ďhard codedĒ DNS server address.

 

SecureNAT clients must be configured with the address of a DNS server that can resolve Internet DNS host names. The reason is that the ISA Server firewall/VPN gateway will not resolve names on behalf of SecureNAT clients.

 

         Network hosts not assigned a DNS server address that can resolve Internet host names

 

Internal network clients may be configured with a DNS server that is not configured to resolve Internet DNS host names, or the DNS server is incorrectly configured. The solution is to change the DNS server address on the clients to a DNS server that can resolve Internet host names or correct the configuration on the DNS server that should have been able to resolve the names.

 

         ISA Server/VPN gateway registers its virtual IP address in the dynamic DNS

 

If the ISA Server firewall/VPN server is also configured as a domain controller or dynamic DNS server, then the virtual PPP adapter interface address will be registered in the DNS for the name of the ISA Server firewall/VPN server. This can prevent Internet access by Web Proxy and Firewall clients because these ISA Server client types depend on name resolution to contact the ISA Server firewall/VPN server for outbound access to the Internet.

 

*       Note:
Please refer to Routing and Remote Access IP Addresses Register in DNS and Name Resolution and Connectivity Issues on Windows 2000 Domain Controller with Routing and Remote Access and DNS Installed for more details on this problem.

 

Configuring an Internal DNS Server to Resolve Internet Host Names

 

An existing DNS server can be configured to resolve Internet DNS host names for internal network clients. DNS security best practices dictate that internal network DNS servers should avoid direct contact with Internet DNS servers. This is especially the case when internal network DNS servers host resource records for the internal network domains.

 

You can configure internal DNS servers to resolve Internet host names and avoid contact with external DNS servers by configuring them to use the ISA Server firewall/VPN server as a DNS forwarder. We will discuss configuring the internal network DNS server to use the ISA Server firewall/VPN server as a DNS forwarder in this ISA Server 2000 VPN Deployment Kit document.

 

*       Note:
The internal network DNS server is located on an internal network domain controller. It is particularly important for a DNS server co-located on an internal domain controller to avoid direct contact with an Internet DNS server.

 

1.       Click Start and point to Administrative Tools. Click on the DNS entry in the Administrative Tools menu. In the DNS Management console, click on your server name, then right click on the server name. Click on the Properties command (figure 1).

 

Figure 1 (fig139)

 

2.       In the server Properties dialog box, click on the Interfaces tab (figure 2). Itís important that you have explicit knowledge of the IP address on which the DNS server answers DNS queries.

 

The best way to accomplish this goal is to select the Only the following IP addresses option. View the list of IP addresses in the list and remove all addresses except for the primary IP address bound to the interface on this server. In this example all IP addresses have been removed except for the 10.0.0.2 entry. Use the Remove button to remove any IP addresses that you do not want on the list.

 

Figure 2 (fig140)

 

3.       Click on the Forwarders tab (figure 3). You can configure a DNS forwarder address on the Forwarders tab. Enter the IP address of the DNS forwarder you want to use in the Select domainís forwarder IP address list text box, then click the Add button to add it to the list of DNS forwarders.

 

The DNS forwarder can be your ISPís DNS server or your ISA Server firewall/VPN server if it has been configured as a caching-only DNS forwarder. In this example we will configure this DNS server located on the domain controller to use the ISA Server firewall/VPN server as a DNS forwarder. Later in this ISA Server 2000 VPN Deployment Kit document we will configure the ISA Server firewall/VPN server to be a caching-only DNS server.

 

Put a checkmark in the Do not use recursion for this domain. When you select this option, you place the entire responsibility for Internet DNS host name resolution on the forwarder. If the forwarder cannot resolve the name, then the name resolution failure is communicated to the client system that issued the DNS query.

 

If you allow recursion, then this DNS server will try to resolve the name itself after it receives the name resolution failure message from its forwarder. Its unlikely that that this internal DNS server will be able to resolve the name if the forwarder cannot and allowing this DNS server to perform recursion after the forwarder fails to do so can slow down the return of DNS name resolution failure messages to DNS clients on the internal network.

 

Figure 3 (fig141)

 

4.       Click on the Advanced tab (figure 4). Notice there is a Server options entry named Disable recursion (also disables forwarders). This entry has quite a different meaning then the Do not use recursion for this domain option we saw in the figure above.

 

Do not select the Disable recursion (also disables forwarders) option. If you select this option, then this DNS server could not resolve Internet DNS host names and could only return answers for domains that it was authoritative for. The Disable recursion (also disables forwarders) option is a good option to select when you are publishing a public DNS server when configuring a split DNS infrastructure, but it is not a viable option when you want to use this DNS server to resolve Internet DNS host name.

 

*       Note:
A split DNS infrastructure allows you to return different IP addresses to public and private network hosts for the same resources that are under your administrative control. The split DNS infrastructure is beyond the scope of this ISA Server 2000 VPN Deployment Kit article. For more information on split DNS design, please refer to this TechNet DNS Infrastructure Design article.

 

Figure 4 (fig142)

 

5.       Click on the Root Hints tab (figure 5). On the Root Hints tab you see the entries for the Internet Root DNS servers. The DNS server uses this list of DNS server addresses to perform recursion. We recommend that you do not allow the internal network DNS server to perform recursion, so this list will not be used by this server to resolve Internet DNS host names.

 

Figure 5 (fig143)

 

6.       Click on the Monitoring tab (figure 6). Put a checkmark in the A simple query against this DNS server checkbox and click the Test Now button. You should see a Pass entry in the Simple Query column. Remove the checkmark in the A simple query against this DNS server checkbox and then put a checkmark in the A recursive query to other DNS servers checkbox. Click the Test Now button. You should see a Pass entry in the Recursive Query column.

 

The simple query tests whether the DNS server can resolve names for domains that itís authoritative for. The Recursive query tests whether this server can resolve names, such as Internet DNS host names, for which this DNS server is not authoritative.

 

*       Note:
You should get Pass entries on the DNS tests if you have configured the DNS server to use your ISPís DNS server as its forwarder and you have created a DNS query Protocol Rule to allow the DNS server to send outbound DNS queries to the Internet. If you are using the ISA Server firewall/VPN server as your DNS forwarder, and you have not yet configured the ISA Server firewall/VPN server as a caching-only DNS server, then your tests will fail. The tests will succeed after the caching-only DNS server is installed and configured on the ISA Server firewall/VPN server.

 

Figure 6 (fig144)

 

 

Configuring the ISA Server Firewall/VPN Server as a Caching-only Internet DNS Host Name Resolver

 

You may prefer to use the ISA Server firewall/VPN computer as your Internet DNS host name resolver. There are several advantages to using the ISA Server firewall/VPN server as your Internet DNS host name resolver:

 

         You do not expose your internal network DNS servers to Internet traffic

 

You expose your private DNS servers to potential attack from Internet intruders when internal network DNS servers are used to resolve both internal and external network names. The most dangerous example is when the internal network DNS server is located on a domain controller. An optimal security configuration prevents external hosts from contacting any internal network domain controller and any DNS server authoritative for internal network DNS domains.

 

         The ISA Server firewall/VPN server based DNS server contains no internal network host records

 

The DNS server located on the ISA Server firewall/VPN server is installed and configured as a caching-only DNS server. The caching-only DNS server is not authoritative for any zone on the internal or external network. This type of DNS server can use a forwarder, a forwarder and recursion, or recursion only, to resolve Internet DNS host names. The caching-only DNS server caches the results of the DNS query and returns the cached result to the next host making a request for the same Internet DNS host name.

 

*       Note:
DNS recursion involves multiple queries to internal based DNS servers beginning with the Internet Root DNS Server addresses. These addresses are contained in the Root Hints file on the caching-only DNS server. Please refer to Windows Server 2003 Help for more information about caching only DNS servers and DNS recursion.

 

         The ISA Server firewall/VPN server based DNS server can resolve internal network names with the help of a stub zone

 

The ISA Server firewall/VPN server computer must be able to resolve both internal and external host names. The ISA Server component must be able to resolve Internet DNS host names on behalf of Firewall and Web Proxy clients. The ISA Server component must also be able to resolve internal network names in order to located Active Directory domain controllers and other resources.

 

A modified caching-only DNS server can be configured with a DNS stub zone containing enough information about internal network domains to allow the ISA Server firewall to resolve internal and Internet host names for Web Proxy and Firewall clients.

 

The DNS stub zone contains only three resource records: A Name Server (NS) record, a Start of Authority (SOA) record, and a Host (A) record, sometimes referred to as a ďglueĒ record. The glue record allows the DNS server to resolve the name associated with the NS record.

 

*       Note:
Stub zones have a number of uses. In the scenario discussed in this ISA Server 2000 VPN Deployment Kit document the stub zone is used to resolve names on the internal network. Please refer to Windows Server 2003 Help for more information on stub zones.

 

         The ISA Server firewall/VPN server can use a forwarder, use a forwarder and perform recursion on its own, or perform recursion without the use of a forwarder

 

A forwarder is a DNS server that resolves names for another DNS server. The DNS server located on the ISA Server firewall/VPN server can be configured to use a DNS server, such as your ISPís DNS server, to resolve Internet DNS host names for it. When the forwarder resolves the name, it sends the result to the DNS server on the ISA Server firewall/VPN server and the caching-only DNS server caches the result and sends the answer to the host on the internal network.

 

The caching-only DNS server can be configured to use a forwarder and perform recursion. When you allow the caching-only DNS server configured to use a forwarder to perform recursion, the caching-only server will attempt to resolve the name itself if the forwarder is not successful in resolving an Internet DNS host name. You usually do not want to allow the caching-only DNS server to perform recursion because it slows down the return ďhost not foundĒ errors to the internal network clients. However, you may consider this option if you do not trust the reliability of your forwarders.

 

You have the option to configure the caching-only DNS server located on the ISA Server firewall/VPN server to use recursion without the aid of a DNS forwarder. In this case, the caching-only DNS server uses the Root Hints file to query Internet Root Servers to resolve Internet DNS host names on its own. Allowing your DNS server to perform recursion can expose it to a large number of Internet-based DNS servers and may increase the risk of DNS related attacks.

 

This ISA Server 2000 VPN Deployment Kit document covers the following procedures that allow you to run a caching-only DNS on the ISA Server firewall/VPN server:

 

         Installing the DNS server service on the ISA Server firewall/VPN server

         Creating the reverse lookup stub zone

         Creating the forward lookup stub zone

         Creating the DNS TCP port 53 packet filter on the ISA Server firewall/VPN server

 

Installing the DNS Server Service on the ISA Server Firewall/VPN Server

 

Perform the following steps on the ISA Server firewall/VPN server to configure the caching-only DNS server:

 

  1. Click Start and point to Control Panel. Click the Add or Remove Programs entry in the list. In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window (figure 7).

 

Figure 7 (fig100)

 

 

  1. In the Windows Components dialog box, select the Network Services entry in the Components list (but do not put a checkmark in the checkbox!). Then click the Details button (figure 8).

 

Figure 8 (fig101)

 

  1. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox. Click OK (figure 9).

 

Figure 9 (fig102)

 

  1. Click Next in the Windows Components dialog box (figure 10).

 

Figure 10 (fig103)

 

  1. Click Finish on the Completing the Windows Components Wizard dialog box (figure 11) after the DNS server service is installed.

 

Figure 11 (fig104)

 

You do not need to restart the ISA Server firewall/VPN server. The DNS service can now be configured with one or more stub zones that allow it to forward DNS queries for internal network domains to the appropriate DNS servers on the internal network.

 

There are no internal network resource records contained in these stub zones that could potentially put your internal network at significant risk. It is safe to include these stub zones on the caching-only DNS server.

 

The first stub zone you create is the reverse lookup zone stub zone. In our current example, the internal network uses network ID 10.0.0.0/8. Weíll create a reverse lookup zone for this network ID.

 

Creating the Reverse Lookup Stub Zone

 

1.       Click Start, point to Administrative Tools and click on the DNS entry in the Administrative Tools menu (figure 12).

 

Figure 12 (fig105)

 

2.       In the DNS Management console, click on the Reverse Lookup Zones node and then right click on it. Click the New Zone command (figure 13).

 

Figure 13 (fig106)

 

3.       Click Next on the Welcome to the New Zone Wizard page (figure 14).

 

Figure 14 (fig107)

 

4.       Select the Stub zone option on the Zone Type page (figure 15). Note the description of a stub zone:

 

ďCreates a copy of a zone containing only Name Server (NS), Start of Authority (SOA), and possibly glue Host (A) records. A server containing a stub zone is not authoritative for that zoneĒ

 

You can think of the stub zone as a referral zone, where is refers queries for the zone to another DNS server for resolution. In the present case of our caching-only DNS server, the caching-only DNS server caches the results after receiving the answers to the referred DNS queries and returns these cached answers for subsequent queries.

 

Figure 15 (fig108)

 

5.       Select the Network ID option on the Reverse Lookup Zone Name page (figure 16). Type in your network ID in the text box under this option. Note that you are not creating a new reverse lookup zone on the caching-only DNS server, you are providing information that is used to obtain information from a DNS server that is authoritative for this reverse lookup zone. Click Next.

 

Figure 16 (fig109)

 

6.       The Create a new file with this file name option is selected by default and the name of the zone file is automatically entered for you on the Zone File page (figure 17). Do not make any changes on this page and click Next.

 

Figure 17 (fig110)

 

7.       Enter the IP address of the DNS server that contains a copy of the reverse lookup zone on the Master DNS Servers page (figure 18). The server must be authoritative for the zone and be able to answer queries for this zone. Type in the IP address of the authoritative DNS server in the IP address text box. Click the Add button to add the address to the list.

 

You can add multiple addresses to the list. If the first server in the list is not available, the referral will be sent to the next server on the list, and so on. Click Next.

 

Figure 18 (fig111)

 

8.       Review your settings on the Completing the New Zone Wizard page and click Finish to create the new stub reverse lookup zone (figure 19).

 

Figure 19 (fig112)

 

9.       If you see an error message indicating that the DNS server could not be contacted, right click the stub reverse lookup zone in the right pane of the console and click the Transfer from Master command. Click the Refresh button on the button bar after transferring the zone from the master. It may take a few moments to contact the master server and obtain the required resource record information.

 

*       Note:
You do not need to wait for all records contained in the reverse lookup zone to be transferred to the stub reverse lookup zone. Only the Start of Authority (SOA) and Name Server (NS) records need to be transferred. If you continue to see an error message and do not see these records in the right pane of the console, use the Reload from Master command and then close and reopen the DNS Management console.

 

Figure 20 (fig113)

 

The next step is to create the forward lookup stub zone.

 

Creating the Forward Lookup Stub Zone

 

1.       In the DNS Management console, click on the Forward Lookup Zone node in the left pane of the console and then right click on it. Click on the New Zone command (figure 21).

 

Figure 21 (fig114)

 

2.       Click Next on the Welcome to the New Zone Wizard page (figure 22).

 

Figure 22 (fig115)

 

3.       Select the Stub zone option on the Zone type page (figure 23). Remember that this stub zone contains only three records:

 

Name Server (NS)

Start of Authority (SOA)

Host (A) ďglueĒ record

 

Click Next.

 

Figure 23 (fig116)

 

4.       Type in the name of internal network domain on the Zone Name page (figure 24). This is the same name as the zone youíve created on your internal network DNS servers. Click Next.

 

Figure 24 (fig117)

 

5.       The Create a new file with this file name is selected by default on the Zone File page (figure 25). The name of the file is automatically entered for you. Make no changes on this page and click Next.

 

Figure 25 (fig118)

 

6.       Type in the address of the internal network DNS server that is authoritative for this DNS zone in the IP address text box on the Master DNS Servers page (figure 26). Click Add to add the address to the list of authoritative DNS servers. If this DNS server cannot contact the server on top of the list, it will forward the queries to the next server on the list and so on. Click Next.

 

Figure 26 (fig119)

 

7.       Review your settings on the Completing the New Zone Wizard page and then click Finish (figure 27).

 

Figure 27 (fig120)

 

8.       If the SOA, NS and A records do not appear in the right pane of the console, right click on an empty area in the right pane and click the Transfer from Master command (figure 28). Wait a few moments and then click the Refresh button in the consoleís button bar.

 

Figure 28 (fig121)

 

The caching-only DNS server now has a forward and reverse lookup zone. This allows the DNS server to resolve names on the internal network without requiring this server to host the internal network domainís DNS resource records.

 

Configuring DNS Forwarders, Recursion and the Root Hints File

 

The optimal configuration for your caching-only DNS server is to limit the amount of exposure it has to Internet DNS servers. You can limit its exposure and improve performance at the same time by using your ISPís DNS server are a forwarder. Assuming that you have a good quality ISP, advantages of using your ISPís DNS server as a forwarder include:

 

         The DNS cache on the ISPís DNS server is much larger than the cache on your own server

         The ISPís DNS server is expertly secured from Internet-based attacks targeted against DNS servers

         Most ISPís keep their DNS servers ďon networkĒ. On network DNS servers are on the ISPís network which allows quick round trip times for DNS query messages

 

We believe configuring the caching-only DNS server on the ISA Server firewall/VPN server to use your ISPís DNS server as a forwarder is the best option in terms of both security and performance. However, if you do not trust your ISP or have had negative experiences with their DNS servers, you can configure the caching-only DNS server on the ISA Server firewall/VPN server to perform recursion and contact Internet DNS servers directly to resolve Internet DNS host names.

 

We discuss both options in the following procedures:

 

1.       In the DNS Management console, right click on your server name and click the Properties command (figure 29).

 

Figure 29 (fig122)

 

2.       In the DNS server Properties dialog box, click on the Interfaces tab (figure 30). Select the Only the following IP addresses option. Our goal is to have this caching-only DNS server located on the ISA Server firewall/VPN server listen for DNS queries on its internal interface only. We do not want this caching-only DNS server to be accept DNS queries on its external interface.

 

Click on an address that is not bound to the internal interface of the ISA Server firewall/VPN server, then click Remove. Repeat this for all addresses that are not bound to the internal interface. If you have multiple addresses bound to the internal interface of the ISA Server firewall/VPN server, remove all but one of them and use that address to listen for DNS queries.

 

Click Apply after removing the extra addresses.

 

Figure 30 (fig123)

 

3.       Only a single IP address, bound to the internal interface of the ISA Server firewall/VPN server is seen on the list of listening IP addresses (figure 31).

 

Figure 31 (fig124)

 

4.       Click on the Forwarders tab (figure 32). Type the IP address of your ISPís DNS server in the Selected domainís forwarder IP address list text box and then click Add. The address will then appear in the list of forwarder IP addresses. Your ISP should have at least two public DNS servers. Enter both of those addresses to your list of forwarders.

 

Put a checkmark in the Do not use recursion for this domain checkbox. This prevents the caching-only DNS server from using information in its Root Hints file to perform recursion on its own and resolve Internet DNS host names by contacting Internet DNS servers itself. The point of using a forwarder in our scenario is to prevent the caching-only DNS server from contacting ďuntrustedĒ DNS servers; you must select this checkbox to prevent it from contacting untrusted DNS servers.

 

Click Apply after entering your forwarders and enabling the checkbox.

 

*       Note:
There are other ways you can leverage your caching-only forwarder configuration. If you have other DNS servers in your organization, such as a DNS resolver on a DMZ segment, you can configure the caching-only DNS server on the ISA Server firewall/VPN server to use the resolver on the DMZ as its forwarder. For more information on split DNS, split-split DNS, DNS resolvers and DNS advertisers, please see You Need Create a Split DNS! By Dr. Thomas W Shinder.

 

Figure 32 (fig125)

 

5.       Click on the Advanced tab (figure 33). Note the Disable recursion (also disables forwarders) option. Do not enable this option. If you enable this option, the caching-only DNS server wonít be able to resolve Internet DNS host names. This option forces the DNS server to answer DNS queries for domains that itís authoritative for. Since this is a caching-only DNS server, itís not authoritative for any domains.

 

Figure 33 (fig126)

 

6.       Click on the Root Hints tab (figure 34). Here is a list of Internet Root DNS servers in the Name servers frame. The DNS server can use this list of Internet Root DNS servers to perform recursion on its own without the aid of a forwarder.

 

When the DNS server performs recursion to resolve an Internet DNS host name (such as www.microsoft.com), the following sequence of events takes place:

 

         The caching-only DNS server sends a query for www.microsoft.com to one of the Internet Root DNS servers listed in the Root Hints file

         The Internet Root DNS server sends back a referral record to the caching-only DNS server. This referral record has the address or addresses of DNS servers responsible for the COM top level domain.

         The caching-only DNS server sends a query for www.microsoft.com to the DNS servers responsible for the COM domain. The COM domain DNS servers return a referral record with the addresses of the DNS servers responsible for the microsoft.com domain.

         The caching-only DNS server sends a query for www.microsoft.com to the DNS servers responsible for the microsoft.com domain.

         The microsoft.com DNS servers are authoritative for the microsoft.com domain. They return an IP address for the host www.microsoft.com to the caching-only DNS server.

         The caching-only DNS server places the answer in its DNS and forwards the answer to the host that sent the original query.

 

You can see from this example that the Internet Root DNS server, the COM DNS server, and the microsoft.com DNS servers were contacted.

 

You may consider using recursion as a backup method, but the preferred backup method for the caching-only DNS server on the ISA Server firewall/VPN server is to configure multiple DNS forwarders.

 

Figure 34 (fig127)

 

7.       The caching-only DNS server is ready to use. You do not need to restart the DNS Server service or the ISA Server firewall/VPN server computers. Let the DNS server run for a while so that it has the chance to resolve some Internet host names for internal network clients. Then return to the DNS console. Right click on the server name and point to View. Click on the Advanced command (figure 35). This will expose the Cached Lookups node in the left pane of the console.

 

Figure 35 (fig128)

 

8.       Expand the Cached Lookups node and then expand the .(root) node. Expand one of the top level domain nodes. Youíll see a list of second level domain names. Click on one of the second level domain names and youíll see specific DNS resource record information in the right pane of the console (figure 36).

 

Figure 36 (fig129)

 

 

The next step is to create a packet filter to support DNS queries that need to use TCP instead of UDP.

 

Configuring a DNS Zone Transfer Packet Filter

 

The IIS SMTP service uses TCP instead of UDP as the default transport protocol for DNS queries. Even outside of the IIS SMTP service, it is normal for DNS queries to use TCP when the data in the DNS message does not fit into a single UDP packet.

 

Perform the following steps to create a packet filter to support the use of TCP port 53 for DNS queries:

 

1.       In the ISA Management console, expand your server name and then expand the Access Policy node. Right click on the IP Packet Filters node, point to New and click on Filter.

 

Figure 37 (fig130)

 

2.       Type in a name for the packet filter in the Welcome to the New IP Packet Filter Wizard dialog box (figure 38). In this example weíll call it DNS (TCP). Click Next.

 

Figure 38 (fig131)

 

3.       Select Allow packet transmission on the Filter Mode page (figure 39). Click Next.

 

Figure 39 (fig132)

 

4.       Select the Custom option on the Filter Type page (figure 40). Click Next.

 

Figure 40 (fig133)

 

5.       On the Filter Settings page (figure 41), configure the following settings:

 

IP protocol: TCP

Direction: Outbound

Local Port: All ports

Remote port: Fixed port

 

Click Next.

 

Figure 41 (fig134)

 

6.       Select the Default IP addresses for each external interface of the ISA Server computer option on the Local Computer page (figure 42) and click Next.

 

Figure 42 (fig135)

 

7.       Select the All remote computers option on the Remote Computers page (figure 43) and click Next.

 

Figure 43 (fig136)

 

8.       Review your settings on the Completing the New IP Packet Filter Wizard page (figure 44). Click Finish.

 

Figure 44 (fig137)

 

9.       Test your ability to resolve DNS names. Open a command prompt on the ISA Server firewall/VPN server. Type nslookup at the command prompt and press ENTER. Type set type=mx and press ENTER. Type microsoft.com. (make sure to include the trailing period) and press ENTER. You should see a list of MX records for the microsoft.com domain.

 

Figure 45 (fig138)

 

Close the command prompt. The ISA Server firewall/VPN Server can now resolve Internet Host names using the caching only DNS server.

 

 

Configuring the DNS Settings for VPN and Internal Network Clients

 

 

 

 

 

10.   xx

 

 

 

11.   xx

 

 

 

12.   xx

 

 

 

13.   xx

 

 

 

14.   xx

 

 

 

15.   xx

 

 

 

16.   xx

 

 

 

17.   xx

 

 

 

18.   xx

 

 

 

19.   xx

 

 

 

20.   xx

 

 

 

21.   xx

 

 

 

22.   xx

 

 

 

23.   xx

 

 

 

24.   xx

 

 

 

25.   xx

 

 

 

26.   xx

 

 

 

27.   xx

 

 

 

28.   xx

 

 

 

29.   xx

 

 

 

30.   xx

 

 

 

 

31.   xx

 

 

 

32.   xx

 

 

 

33.   xx

 

 

 

34.   xx

 

 

 

35.   xx

 

 

 

36.   xx

 

 

 

37.   xx

 

 

 

38.   xx

 

 

 

39.   xx

 

 

 

40.   xx

 

 

 

41.   xx

 

 

 

42.   xx

 

 

 

43.   xx

 

 

 

44.   xx

 

 

 

45.   xx

 

 

 

46.   xx

 

 

 

 

47.   xx

 

 

 

48.   xx

 

 

 

49.   xx

 

 

 

50.   xx