One of the most persistent problems I've encountered when ISA firewall administrators ask me to troubleshoot their setups is misconfiguration of the IP addressing information on the ISA firewall's interfaces. The two most common configuration errors ISA firewall admins make when configuring the firewall's interfaces are:
- Assigning multiple default gateways on the firewall
- Misconfiguring the DNS settings on the firewall
The problem of multiple default gateways is easy to recognize and fix. The user with multiple default gateways will see errors in the ISA firewall and Windows event viewer logs and will experience frequent connectivity problems. The fix is as easy as the diagnosis: remove all default gateways except for one, with the remaining gateway typically the one closest to the ISP router. Unfortunately, diagnosing and treating DNS configuration problems isn't always as easy, and it's even more difficult to treat.
Why proper DNS settings on the ISA firewall matter
Why should you care about configuring proper DNS settings on the ISA firewall? A few reasons getting the correct DNS configuration on the ISA firewall matters include:
- To allow the ISA firewall to find itself. In certain scenarios, if the ISA firewall cannot resolve its own name, difficult to troubleshoot configuration errors will occur. The ISA firewall should always be able to resolve its own name.
- To allow the ISA firewall to perform DNS host name resolution on behalf of Firewall clients.
- To allow the ISA firewall to perform DNS host name resolution on behalf of Web proxy clients.
- To allow the ISA firewall to perform forward or reverse lookups when FQDNs or IP addresses are used to connect to sites. Forward and reverse lookups are critical because users could otherwise circumvent your access controls by using an IP address to reach a site, or use a FQDN if you have restricted the site by IP address.
- To allow the domain member ISA firewalls to find domain controllers to authenticate Web proxy and Firewall clients.
- To allow the ISA firewall to resolve the names of internal servers published using Web Publishing Rules.
- To allow the ISA firewall to find computers on the corporate network using the Browse button in a number of ISA firewall policy configuration interfaces.
- To allow the ISA firewall to find RADIUS servers based on the RADIUS server's FQDN on the corporate network.
In most circumstances you'll want the ISA firewall to correctly resolve names on both the corporate network and the Internet. In very small business scenarios and other special purpose scenarios, you might only want the ISA firewall to be able to resolve Internet host names.
How Windows DNS name resolution works
According to the Windows Server 2003 Technical Reference, the DNS Client service queries the DNS servers in the following order:
- First, the DNS Client service sends the name query to the first DNS server on the preferred adapter's list of DNS servers. It for a response for one second.
- If there is no response from the first DNS server within one second, it sends the name query to the first DNS servers on all adapters that are still under consideration. This time it waits two seconds for a response.
- If there is no response from any DNS server within two seconds, the DNS Client service will send the query to all DNS servers on all adapters that are still under consideration. Again, it waits two seconds for a response.
- If there is still no response from any DNS server, the DNS Client service will send the name query to all DNS servers on all adapters that are still under consideration and wait four seconds for a response.
- Finally, if there is still no response from any DNS server, the client service will send the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.
The DNS Client service will stop querying for the name when/if it receives a positive response. It will add the response to the DNS cache and then it will return the response to the client computer. However, if there is no response from any server after step five (after waiting for eight seconds), and then a time-out message will occur. If there hasn't been any response from any DNS server on a specified adapter, then the DNS Client service will respond to all queries destined for servers on that adapter with a time-out for the next 30 seconds. It will not query those servers.
Any time during this process, if the DNS Client service should get a negative response from any server, it will remove every server on that adapter from consideration during the search. The DNS Client service keeps up with which servers answer the name queries most quickly. The servers are moved up or down on the list based on how quickly or slowly they reply to name queries.
All of this is predicated on the assumption that the query process will end up with a positive response being returned to the client. That's not always the case. Actually, there are three possible answers that can be returned, as follows:
- A negative answer of an RR set that fits the queried DNS domain name and record type specified in the query message).
- A positive authoritative answer (this is a positive answer returned to the client and delivered with the authority bit set in the DNS message to indicate the answer was obtained from a server with direct authority for the queried name).
- A referral answer (contains additional RRs not specified by name or type in the query. This type of answer is returned to the client if the recursion process is not supported).
If the server returns a negative response, this means that one of two possible results was encountered when the server tried to process and recursively resolve the query fully and authoritatively. First, an authoritative server reported that the name that was queried doesn't exist in the DNS namespace. Alternatively, an authoritative server reported that the name that was queried does exist, but there are no records of the specified type for that name.
Concepts behind configuring the ISA firewall and network clients to use the ISA firewall as their DNS server
The ISA firewall must be configured to use itself as its DNS server and the DNS server entry must be on the internal interface of the ISA firewall. In addition, you need to make sure that the internal interface of the ISA firewall is on the top of the interface list.
In addition to the ISA firewall, all other hosts on the corporate network need to be configured to use the ISA firewall as their DNS server. Make sure you don't get ambitious and think of entering the DNS server on the internal network as a second DNS server for the network clients! If you do this, SecureNAT clients on your network will not be able to resolve Internet host names, since the DNS server will not be able to resolve Internet host names using the Internal Network DNS server. The only DNS server that will be able to resolve Internet host names in this scenario is the DNS server on the ISA firewall device itself.
The best way to approach DNS server assignment for network clients is to assign the IP address on the ISA firewall that is listening for DNS queries to clients using DHCP. You can configure this in the DHCP scope used by network clients. Your other option is to manually configure the clients with a DNS server address that is the IP address on the ISA firewall listening for DNS queries.
Installing the DNS service
We will focus on installing and configuring the DNS Server service on a Windows Server 2003-based ISA firewall. Perform the following steps to install the DNS Server service on the ISA firewall:
- Click Start, point to Control Panel and click Add or Remove Programs.
- In the Add or Remove Programs window, click the Add/Remove Windows Components button.
- In the Windows Components Wizard dialog box, select the Networking Services entry in the list of Components. Do not put a checkmark in the checkbox! After highlighting the Networking Services entry, click the Details button.
- In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox, as shown in Figure A, and click OK.
|Use the Add/Remove Programs applet to install DNS services|
- Click Next in the Windows Components dialog box.
- Click OK in the Insert Disk dialog box. In the Files Needed dialog box, provide a path to the i386 folder from the installation CD in the Copy files from text box, and then click OK.
- Click Finish on the Completing the Windows Components Wizard page.
- Close the Add or Remove Programs window.
The DNS Server on the ISA firewall machine performs DNS queries for Internet host names. The DNS Server on the ISA firewall should be configured as a caching-only DNS server, or a caching-only DNS server with conditional forwarding rules.
A caching-only DNS Server does not contain information about your public or private DNS names. The caching-only DNS Server can resolve Internet host names and cache the results, but it does not answer DNS queries for names on your private internal network DNS zone or your public DNS zone.
A caching-only DNS server with a conditional forwarding rule enables the DNS server to use recursion to resolve names except for those to the domains included in the conditional forwarding rule. You would use this configuration if you have an Active Directory or other DNS domain name based network and you want to be able to resolve both external name (via recursion) and internal name (via conditional forwarding).
Perform the following steps to configure the DNS service on the Windows Server 2003 computer:
- On the Forwarders tab in the DNS Server's Properties dialog box, click the New button.
- In the New Forwarder dialog box, as shown in Figure B, enter the domain name for your internal network DNS domain, and then click OK.
|Enter the domain name for your internal network DNS domain in the New Forwarder dialog box|
- In the DNS server's Properties dialog box, select the domain name you entered into the New Forwarder dialog box. Enter the IP address of a DNS server on your internal network that can resolve names in this domain in the Selected domain's forwarder IP address list and click OK. Put a checkmark in the Do not use recursion for this domain checkbox, as shown in Figure C. You do not want the ISA firewall to perform recursion in the event that the forwarder fails, since the ISA firewall isn't able to resolve names in that domain any other way. Click Apply.
|Configure the forwarders not to use recursion for this domain|
- Click the Advanced tab. Confirm that the Secure cache against pollution checkbox is enabled. This is the default setting on Windows Server 2003 DNS servers, but you should confirm that this setting is enabled. Click Apply.
- Click OK in the DNS server's Properties dialog box.
Creating Access Rules on the ISA firewall to allow internal hosts to connect to the ISA firewall using the DNS Protocol
An Access Rule must be created to allow computers on ISA firewall Protected Networks to access the DNS server on the ISA firewall. In this example, the DNS server on the ISA firewall is configured to listen only on the IP address bound to the ISA firewall's Internal Network interface. When we create the Access Rule, we will not need to specify this address as the destination address because we will only allows source addresses on the Internal Network access to the DNS server.
Perform the following steps to create the DNS Access Rule allowing hosts to perform DNS queries against the DNS server on the ISA firewall:
- In the ISA firewall console, expand the server name in the left pane and then click the Firewall Policy node.
- Click the Tasks tab in the Task Pane and then click the Create New Access Rule link.
- On the Welcome to the New Access Rule page, enter a name for the rule in the Access Rule name text box. In this example we'll name the rule DNS InternalàLocal Host. Click Next.
- Select the Allow option on the Rule Action page and click Next.
- On the Protocols page, select the Selected Protocols option on the This rule applies to list and click Add.
- In the Add Protocols dialog box, click the Common Protocols folder, shown in Figure D, and then double click the DNS protocol. Click Close.
|Double-click the DNS protocol in the Add Protocols dialog box|
7. Click Next on the Protocols page, as shown in Figure E.
|DNS should now appear on the Protocols page of the wizard|
- Click Add on the Access Rule Sources page.
- In the Add Network Entities dialog box, double click the Internal entry and click Close.
- On the Access Rule Destinations page, click the Add button.
- In the Add Network Entities dialog box, double click the Local Host entry and click Close.
- On the User Sets page, accept the default setting, All Users, and click Next.
- Click Finish on the Completing the New Access Rule Wizard page.
Testing the configuration
After the ISA firewall and the clients are configured to use the ISA firewall's DNS server to resolve both internal and external names, you can test the configuration. Figure F shows a Network Monitor trace of a corporate network's SecureNAT client connecting to the www.isaserver.org Web site. The SecureNAT client's IP address is 10.0.0.5 and the ISA firewall's DNS server address is 10.0.0.1. You can see that the client has sent several DNS queries to access content on the www.isaserver.org home page.
|Use Network Monitor to test the DNS configuration|
Figure G shows the DNS communications involved with the SecureNAT client connecting to a resource on the corporate network domain:
|Monitoring DNS communications of a SecureNAT client|
Here's how it works:
- The first line (on top) shows the SecureNAT client sending a query for exchange2003be.msfirewall.org to the DNS server on the ISA firewall.
- The second line shows the DNS server on the ISA firewall sending a query for exchange2003be.msfirewall.org to the DNS server on the internal network.
- The third line shows the internal network DNS server sending its response to the ISA firewall's DNS server.
- The last line shows the ISA firewall returning the results to the SecureNAT client.
The result of the DNS query is cached on the ISA firewall, so the DNS server on the ISA firewall won't have to issue another query to the internal DNS server until the TTL on the record has expired.
Start with the basics
Proper DNS settings on the ISA firewall are critical for multiple name resolution functions performed by the ISA firewall to perform its security and access control functions. DNS by itself is usually a pretty easy to configure service, but when you start adding things like ISA Server 2004, things become complicated. Once you understand the basics of how DNS and ISA work together, you can solve problems when they arise.