When configuring DNS settings for the ISA Server firewall, correct DNS settings are vital to avoid conflicts with ISA server. While this is a lot of information to take in at a single shot, the gist of this process is that incorrect DNS configuration on the ISA firewall's interface can lead to name resolution failures, or very poor performance due to DNS name resolution delays. This article's main goal is to provide you with information on how to prevent these problems. Toward that end, we'll look at four real-world scenarios and how to properly configure the DNS settings in each situation.
Scenario 1: No internal DNS servers; static or dynamic address on the external interface of the ISA firewall
Our first scenario addresses networks that do not have internal DNS servers. These are either very small networks or special purpose networks, such as the temporary "ad hoc" networks created for LAN parties, meetings or similar events. The common thread in the "no Internal DNS servers" scenario is that there is no need to resolve DNS host names on the corporate network. The only DNS names that need to be resolved are those on the Internet.
In this scenario, you only need to include the IP address or addresses of public DNS servers, typically those provided by your ISP. If you have a dynamic address on the external interface of the ISA firewall, then your ISP has assigned you a DNS server list along with other IP addressing information and there's no reason to make any changes. If you have a static IP address on the external interface of the ISA firewall, then you can configure the internal interface of the ISA firewall to be the preferred adapter and enter your public DNS server addresses to the internal interface.
Configuring the internal interface as the preferred network interface
Perform the following steps to configure the internal interface as the preferred network interface:
- Right click on the My Network Places icon on the desktop and click Properties.
- In the Network Connections window, right click on each of your interfaces and click the Rename command. Rename each of the interfaces to give them meaningful names. In this example, we've renamed the three interfaces on the ISA firewall to WAN, LAN and DMZ as shown in Figure A.
- Click the Advanced menu in the Network Connections window and click Advanced Settings.
- In the Advanced Settings dialog box, click the internal interface of the ISA firewall and click the up pointing arrow until the internal interface is on the top of the interface list, as shown in Figure B. Then click OK.
- Double click on the internal interface.
- In the interface's Status dialog box, click the Properties button.
- In the interfaces Properties dialog box, double click the Internet Protocol (TCP/IP) entry in the This Connection Uses The Following Items list.
- In the Internet Protocol (TCP/IP) Properties dialog box, enter the public DNS server addresses in the Preferred DNS Server and Alternate DNS server text boxes.
- Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
- Click OK in the interface's Properties dialog box.
- Click Close in the interface's Status dialog box.
|Rename each interface to give them meaningful names|
|Move the internal interface to the top of the list|
You only need to manually configure public DNS server addresses on the internal interface when your ISP or another responsible entity doesn't provide dynamic addresses for your external interface. No interface other than the external interface should ever have a dynamic IP address and the only interface that should ever be configured to use DHCP to receive addressing information is the external interface.
Scenario 2: Corporate environment with dedicated internal DNS servers and static IP addresses on external interface of the ISA firewall
Scenario 2 is a much more common scenario than the first one. In this situation, the company has one or more internal DNS servers and static addresses on the external interface of the ISA firewall. In this case, you configure the ISA firewall to use a DNS server that can resolve both internal and external host names. The interface on the ISA firewall that is configured with the DNS server address is the one closest to the DNS server on the internal network.
The key here is that the ISA firewall must have access to a DNS server that can resolve both internal names and external names. The DNS server must be able to resolve internal names so that the ISA firewall can find itself, domain controllers, published Web servers, RADIUS servers and other infrastructure servers on the network. The DNS server must be able to resolve Internet host names so that the ISA firewall can perform name resolution on behalf of Web proxy and Firewall clients. In addition, SecureNAT clients must be configured to use a DNS server that can resolve Internet host names to reach the Internet, since the ISA firewall does not resolve names on behalf of SecureNAT clients.
Implementing the scenario
There are several ways you can implement such a scenario:
- You can use one DNS server that resolves both internal and external names by configuring that DNS server to perform recursion for names for which that DNS server is not authoritative.
- You can use one DNS server that resolves both internal and external names by configuring that DNS server to resolve internal names for which is it authoritative, and then configure that DNS server to use a forwarder to resolve names for which the DNS server is not authoritative.
- If you choose to use a forwarder, the forwarder can be located on the ISA firewall itself, or it can be a dedicated DNS server configured to act as a caching only DNS server.
- You can configure a DNS server on the ISA firewall or you can configure a dedicated DNS server that performs recursion for Internet host names, and also configure the DNS server to use conditional forwarding to send queries for internal resources to the internal network DNS server. In this scenario, the internal network DNS server never needs to handle queries for resources in domains other than those for which it is authoritative.
There are many more possible scenarios, but these four capture the overall sense of what we're trying to accomplish.
Configuring the DNS servers and interfaces
For medium sized environments, one of the most secure DNS server configurations is to have a dedicated DNS server that resolves Internet host names using recursion, and is also configured to perform conditional forwarding for queries to Internal network resources. If you don't have the resources to dedicate a DNS server to this duty, you can put the DNS server on the ISA firewall itself.
For example, suppose you have a DNS server on the internal network that is a dedicated DNS server. The dedicated DNS server's address is 10.0.0.1. You should configure the Internal Network interface to use this DNS server. You should not configure any other DNS server addresses on any other network interfaces.
This fact bears repeating: You should never configure more than one interface for a DNS server list, unless you have a more sophisticated scenario, and understand the implications of the configuration.
Configuring multiple interfaces for DNS
If you have multiple internal Networks and you have DNS servers on each of these ISA firewall Networks that are authoritative for your internal DNS zones and can resolve Internet host names, then it would be valid to enter DNS server addresses on multiple interfaces. This is the only circumstance when you should enter DNS server addresses on more than one interface on the ISA firewall. In all other circumstances, you should enter your DNS server addresses on one interface only, and that interface is the primary interface on the ISA firewall (see the discussion above on configuring DNS server settings on the primary interface).
Another thing you should never do is configure internal-only and external-only DNS servers on the same interface. In fact, you should never configure the ISA firewall with an external DNS server unless your network fits that discussed in Scenario 1, where you have no need at all for internal network host name resolution. In every other circumstance, you should never manually configure an external DNS server address on any interface on the ISA firewall.
Scenario 3: Branch-office environment with dedicated internal DNS servers and dynamic address on the external interface of the ISA firewall
This scenario combines elements of both scenario 1 and scenario 2. In this case, the branch office network is connected to the main office network either via a dedicated leased line or by a site to site VPN connection. The branch office has Internet connectivity using a high-speed but cost effective broadband connection.
In many circumstances, broadband providers do not allocate dedicated addresses for Internet connections and you are forced to use dynamic addressing on the external interface of the ISA firewall. When this happens, you are forced to use an external DNS server on the external interface of the ISA firewall (almost).
There are a variety of different branch office scenarios. In some cases, the branch office hosts are unmanaged clients and are not members of an Active Directory domain. In other situations, the branch office clients are domain members, and the ISA firewall is also a domain member (which confers a higher level of security to the ISA firewall).
For both managed and unmanaged hosts, it is likely that clients at branch offices will need to be able to resolve names of hosts on the main office network. This requires access to a DNS server that can perform internal name resolution. These hosts also need access to the Internet, which requires external name resolution.
In this scenario, the branch offices have dedicated DNS servers, or DNS servers co-located on domain controllers, or even DNS servers located on the ISA firewall itself. The ISA firewall is configured to use the Internal DNS server on its internal interface, and the internal interface is moved to the top of the interface list, which makes the internal interface the preferred interface for name resolution.
DNS settings on the external interface
You have several options for dealing with the DNS settings on external interface:
- You can leave the DHCP assigned DNS server address as it is on the external interface.
- You can configure the DHCP settings on the external interface to use DHCP for IP addressing information, but not for DNS server information, and then manually configure the external interface with your internal DNS server sever address. In this case, you would move the external interface to the top of the network interface list so that the external interface is the preferred interface for name resolution, and you would leave the internal interface's DNS settings empty.
- You can put a router or NAT device in front of the ISA firewall and allow the public address to be assigned to this front-end device. Then you can configure the external interface of the ISA firewall with a static address on the same network ID as the LAN interface of the upstream router or NAT device. In this case, you do not need to enter a DNS server address on the external interface. The only interface with a DNS server list is the internal interface and the internal interface is moved to the top of the DNS server list.
I prefer the last option, because it simplifies the issue of DNS server assigning on the ISA firewall's interfaces and has the added benefit of eliminating the problem the ISA firewall has with some types of dynamic addressing schemes that are used by some cable, DSL or fiber optic providers. Let the broadband router/NAT device handle the dynamic addressing issues, and assign a dedicated address to the external interface of the ISA firewall.
Scenario 4: Caching-only DNS server on the ISA firewall
The configuration described in this scenario works both for organizations that have internal DNS servers and those who do not have internal DNS servers. It provides a great deal of flexibility and adds to your overall level of DNS security since this configuration can be used to prevent your internal DNS servers from performing recursion, which eliminates the need for them to ever directly communicate with an Internet DNS server.
Installing a caching-only DNS server on the ISA firewall enables machines on your network to perform Internet host name resolution. Even if you already have a DNS server located on the internal network, you can configure the ISA firewall as a caching-only DNS server and configure computers on the internal network to use the ISA Server 2004 machine as their DNS server. If internal network computers need to resolve names on the internal network, of if the ISA firewall needs to resolve names on the internal network (or both), then you can configure the caching-only DNS server on the ISA firewall with a conditional forwarding rule that sends queries for internal domains to your internal network DNS server.
Advantages and disadvantage of the caching-only DNS server
Some advantages and disadvantages of making the ISA firewall a caching-only DNS server include:
- Preventing internal DNS servers from making direct contact with external DNS servers. Internal DNS servers are configured to use the ISA firewall's caching-only DNS server as a forwarder. This eliminates the need for the internal DNS servers to provide recursion.
- Providing a single DNS server for large numbers of hosts enables the ISA firewall's DNS server to cache a large number of DNS query results, which can lead to decreased bandwidth usage for DNS queries.
- No internal domain information is hosted on the DNS server, and the DNS server does not accept queries from external hosts. This prevents attackers and other "curious" individuals from performing zones transfers from the caching-only DNS server on the ISA firewall.
- You cannot use the DNS server on the ISA firewall to provide an external zone for a split DNS infrastructure, since this would expose the DNS server on the ISA firewall to external users. This DNS server must not be exposed to external users because the caching-only DNS server must be able to perform recursion, and you never want external users to use your DNS server to perform recursion (allowing external users to perform recursion using your DNS server can open it up to attack, and also can potentially reduce available bandwidth).
- If you have a busy network, and a large number of DNS queries make it to the ISA firewall, then the UDP connections to the ISA firewall could potentially tax the ISA firewall's resources available to SecureNAT client connections. You should use the ISA Performance Monitor to ascertain the number of DNS connections made to the ISA firewall and the number of pending DNS resolutions and SecureNAT mappings to ascertain if DNS issues may be negatively impacting your ISA firewall's performance.
Locating a caching-only DNS server on the ISA firewall
The procedures required to locate a caching-only DNS server on the ISA firewall include:
- Installing the DNS Server service on the ISA firewall
- Configuring the DNS Server settings on the ISA firewall, including conditional forwarding for internal domains
- Creating Access Rules on the ISA firewall to allow internal hosts to connect to the ISA firewall using the DNS protocol
- Configuring the clients to use the ISA firewall as their DNS server