Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS, NAT, FORWARDING and ISA

Status
Not open for further replies.

ancientcontra

Technical User
Jun 30, 2005
42
GB
Ok I have 3 internal DC's that have no access to the internet, and have their forwarders pointing to our ISA server. Normal ADI DNS on all 3.

The ISA server is not in a DMZ, and gets its web traffic from an ISA upstream server, which is in another company.
We have a 100meg link to this company and are only sperated by a liberal firewall The ISA server holds a caching only DNS zone, and has forwarders that point to 2 DNS servers at the same company, which pass all our external queries.

We want to do our own lookups for external names, taking this company out of the equation.

The ISA server will need to be NAT'ed out our cisco ASA firewall to one of our external addresses, so we dont have to rely on an upstream server.

My questions are :
(1) Should I get all external lookups done by the ISA server as it will be NAT'ed out ? then have the forwarders on that server point to our ISP's ? I then change the DNS server on the ISA server to point to itself ? or point to the ISP ?
(2) If the DC's need to do external lookups, do I just allow DNS traffic to these boxes, and use dynamic nat using the firewall's address ?

(3)When are root hints used? if the servers are not NAT'ed do they ever get used ? when the forwarders dont work

I havent done this for a while any help at all would be greatly appreciated.



Nick Cutting
MCSA CCNA A+
 
I allow DNS outbound through my ISA server. My 2 DNS servers hit the ISPs DNS servers for all external queries.

I would also recommend the following:


Putting OPENDNS ahead of my ISPs DNS servers (forwarder) did improve my networks DNS resolution for external sites.


Jeffrey Botsford
MCSE/CCNA/Cyber Forensics L1
 
Thanks for the reply.

So you have your ISA server acting as a firewall and it has an external and internal address ? Or Is there another firewall outside the ISA that translates the ISA's address and allows outbound http, https ftp dns etc? then you pass back lookups to your 2 dns servers, which access this through the ISA ? Is this something you setup on the ISA ? ISA 2000?

Also - that OpenDNS sounds pretty cool, so both of their dns servers are the top two forwarders ? then you use your ISP's.

Sorry I am just unsure as to how your DNS servers are "getting out"

thanks, Nick



Nick Cutting
MCSA CCNA A+
 
I have a sonicwall at the edge. ISA is internal with NAT addresses on both sides. I pass DNS forwards through both the ISA and Sonicwall.

My directory is behind the ISA Firewall. All internal DNS never gets out. Only outside addresses are forwarded.

Jeffrey Botsford
MCSE/CCNA/Cyber Forensics L1
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top