When configuring DNS settings for the ISA Server firewall,
correct DNS settings are vital to avoid conflicts with ISA server. While this
is a lot of information to take in at a single shot, the gist of this process
is that incorrect DNS configuration on the ISA firewall’s interface can lead to
name resolution failures, or very poor performance due to DNS name resolution
delays. This article’s main goal is to provide you with information on how to
prevent these problems. Toward that end, we’ll look at four real-world
scenarios and how to properly configure the DNS settings in each situation.
Scenario 1: No internal DNS servers; static or dynamic address on the external
interface of the ISA firewall
Our first scenario addresses networks that do not have
internal DNS servers. These are either very small networks or special purpose
networks, such as the temporary “ad hoc” networks created for LAN
parties, meetings or similar events. The common thread in the “no Internal
DNS servers” scenario is that there is no need to resolve DNS host names
on the corporate network. The only DNS names that need to be resolved are those
on the Internet.
In this scenario, you only need to include the IP address or
addresses of public DNS servers, typically those provided by your ISP. If you
have a dynamic address on the external interface of the ISA firewall, then your
ISP has assigned you a DNS server list along with other IP addressing
information and there’s no reason to make any changes. If you have a static IP
address on the external interface of the ISA firewall, then you can configure
the internal interface of the ISA firewall to be the preferred adapter and
enter your public DNS server addresses to the internal interface.
Configuring the internal interface as the preferred network interface
Perform the following steps to configure the internal
interface as the preferred network interface:
- Right click on the My
Network Places icon on the desktop and click Properties.
- In the Network
Connections window, right click on each of your interfaces and click the Rename command. Rename each of the
interfaces to give them meaningful names. In this example, we’ve renamed the
three interfaces on the ISA firewall to WAN,
LAN and DMZ as shown in Figure A.
- Click the Advanced menu in the Network Connections
window and click Advanced Settings.
- In the Advanced Settings dialog box, click the internal
interface of the ISA firewall and click the up pointing arrow until the
internal interface is on the top of the interface list, as shown in Figure B.
Then click OK.
- Double click on the internal interface.
- In the interface’s Status
dialog box, click the Properties
- In the interfaces Properties
dialog box, double click the Internet
Protocol (TCP/IP) entry in the This Connection
Uses The Following Items list.
- In the Internet
Protocol (TCP/IP) Properties dialog box, enter the public DNS server
addresses in the Preferred DNS Server
and Alternate DNS server text boxes.
- Click OK in
the Internet Protocol (TCP/IP)
Properties dialog box.
OK in the interface’s Properties dialog box.
Close in the interface’s Status dialog box.
|Rename each interface to give them meaningful names|
|Move the internal interface to the top of the list|
You only need to manually configure public DNS server
addresses on the internal interface when your ISP or another responsible entity
doesn’t provide dynamic addresses for your external interface. No interface
other than the external interface should ever have a dynamic IP address and the
only interface that should ever be configured to use DHCP to receive addressing
information is the external interface.
Scenario 2: Corporate environment with dedicated internal DNS servers and static
IP addresses on external interface of the ISA firewall
Scenario 2 is a much more common scenario than the first
one. In this situation, the company has one or more internal DNS servers and
static addresses on the external interface of the ISA firewall. In this case,
you configure the ISA firewall to use a DNS server that can resolve both
internal and external host names. The
interface on the ISA firewall that is configured with the DNS server address is
the one closest to the DNS server on the internal network.
The key here is that the ISA firewall must have access to a
DNS server that can resolve both internal names and external names. The DNS server must be able to resolve internal
names so that the ISA firewall can find itself, domain controllers, published
Web servers, RADIUS servers and other infrastructure servers on the network.
The DNS server must be able to resolve Internet host names so that the ISA
firewall can perform name resolution on behalf of Web proxy and Firewall
clients. In addition, SecureNAT clients must be configured to use a DNS server
that can resolve Internet host names to reach the Internet, since the ISA
firewall does not resolve names on behalf of SecureNAT clients.
Implementing the scenario
There are several ways you can implement such a scenario:
can use one DNS server that resolves both internal and external names by
configuring that DNS server to perform recursion for names for which that
DNS server is not authoritative.
can use one DNS server that resolves both internal and external names by
configuring that DNS server to resolve internal names for which is it
authoritative, and then configure that DNS server to use a forwarder to
resolve names for which the DNS server is not authoritative.
you choose to use a forwarder, the forwarder can be located on the ISA
firewall itself, or it can be a dedicated DNS server configured to act as
a caching only DNS server.
can configure a DNS server on the ISA firewall or you can configure a
dedicated DNS server that performs recursion for Internet host names, and
also configure the DNS server to use conditional forwarding to send
queries for internal resources to the internal network DNS server. In this
scenario, the internal network DNS server never needs to handle queries
for resources in domains other than those for which it is authoritative.
There are many more possible scenarios, but these four
capture the overall sense of what we’re trying to accomplish.
Configuring the DNS servers and interfaces
For medium sized environments, one of the most secure DNS
server configurations is to have a dedicated DNS server that resolves Internet
host names using recursion, and is also configured to perform conditional
forwarding for queries to Internal network resources. If you don’t have the
resources to dedicate a DNS server to this duty, you can put the DNS server on
the ISA firewall itself.
For example, suppose you have a DNS server on the internal
network that is a dedicated DNS server. The dedicated DNS server’s address is 10.0.0.1. You should configure the
Internal Network interface to use this DNS server. You should not configure any other DNS server addresses on any other
This fact bears repeating: You should never configure more than one interface for a DNS server list,
unless you have a more sophisticated scenario, and understand the implications
of the configuration.
Configuring multiple interfaces for DNS
If you have multiple internal Networks and you have DNS
servers on each of these ISA firewall Networks that are authoritative for your
internal DNS zones and can resolve
Internet host names, then it would be valid to enter DNS server addresses on
multiple interfaces. This is the only circumstance when you should enter DNS
server addresses on more than one interface on the ISA firewall. In all other
circumstances, you should enter your DNS server addresses on one interface
only, and that interface is the primary interface on the ISA firewall (see the
discussion above on configuring DNS server settings on the primary interface).
Another thing you should never
do is configure internal-only and external-only DNS servers on the same
interface. In fact, you should never
configure the ISA firewall with an external DNS server unless your network fits
that discussed in Scenario 1, where you have no need at all for internal network host name resolution. In every
other circumstance, you should never manually
configure an external DNS server address on any interface on the ISA firewall.
Scenario 3: Branch-office environment with dedicated internal DNS servers
and dynamic address on the external interface of the ISA firewall
This scenario combines elements of both scenario 1 and
scenario 2. In this case, the branch office network is connected to the main
office network either via a dedicated leased line or by a site to site VPN
connection. The branch office has Internet connectivity using a high-speed but
cost effective broadband connection.
In many circumstances, broadband providers do not allocate
dedicated addresses for Internet connections and you are forced to use dynamic
addressing on the external interface of the ISA firewall. When this happens,
you are forced to use an external DNS server on the external interface of the
ISA firewall (almost).
There are a variety of different branch office scenarios. In
some cases, the branch office hosts are unmanaged clients and are not members
of an Active Directory domain. In other situations, the branch office clients
are domain members, and the ISA firewall is also a domain member (which confers
a higher level of security to the ISA firewall).
For both managed and unmanaged hosts, it is likely that
clients at branch offices will need to be able to resolve names of hosts on the
main office network. This requires access to a DNS server that can perform
internal name resolution. These hosts also need access to the Internet, which
requires external name resolution.
In this scenario, the branch offices have dedicated DNS servers,
or DNS servers co-located on domain controllers, or even DNS servers located on
the ISA firewall itself. The ISA firewall is configured to use the Internal DNS
server on its internal interface, and the internal interface is moved to the
top of the interface list, which makes the internal interface the preferred interface for name resolution.
DNS settings on the external interface
You have several options for dealing with the DNS settings
on external interface:
- You can leave the DHCP assigned DNS server
address as it is on the external interface.
- You can configure the DHCP settings on the
external interface to use DHCP for IP addressing information, but not for DNS
server information, and then manually configure the external interface with
your internal DNS server sever address. In this case, you would move the external interface to the top of the
network interface list so that the external interface is the preferred interface for name resolution,
and you would leave the internal interface’s DNS settings empty.
- You can put a router or NAT device in front of
the ISA firewall and allow the public address to be assigned to this front-end
device. Then you can configure the external interface of the ISA firewall with
a static address on the same network ID as the LAN interface of the upstream
router or NAT device. In this case, you do not need to enter a DNS server
address on the external interface. The only interface with a DNS server list is
the internal interface and the internal interface is moved to the top of the
DNS server list.
I prefer the last option, because it simplifies the issue of
DNS server assigning on the ISA firewall’s interfaces and has the added benefit of eliminating the problem the ISA
firewall has with some types of dynamic addressing schemes that are used by
some cable, DSL or fiber optic providers. Let the broadband router/NAT device
handle the dynamic addressing issues, and assign a dedicated address to the
external interface of the ISA firewall.
Scenario 4: Caching-only DNS server on the ISA firewall
The configuration described in this scenario works both for
organizations that have internal DNS servers and those who do not have internal
DNS servers. It provides a great deal of flexibility and adds to your overall
level of DNS security since this configuration can be used to prevent your
internal DNS servers from performing recursion, which eliminates the need for
them to ever directly communicate with an Internet DNS server.
Installing a caching-only DNS server on the ISA firewall enables
machines on your network to perform Internet host name resolution. Even if you
already have a DNS server located on the internal network, you can configure
the ISA firewall as a caching-only DNS server and configure computers on the
internal network to use the ISA Server 2004 machine as their DNS server. If
internal network computers need to resolve names on the internal network, of if
the ISA firewall needs to resolve names on the internal network (or both), then
you can configure the caching-only DNS server on the ISA firewall with a
conditional forwarding rule that sends queries for internal domains to your
internal network DNS server.
Advantages and disadvantage of the caching-only DNS server
Some advantages and disadvantages of making the ISA firewall
a caching-only DNS server include:
- Preventing internal DNS servers from making
direct contact with external DNS servers. Internal DNS servers are configured
to use the ISA firewall’s caching-only DNS server as a forwarder. This
eliminates the need for the internal DNS servers to provide recursion.
- Providing a single DNS server for large numbers
of hosts enables the ISA firewall’s DNS server to cache a large number of DNS
query results, which can lead to decreased bandwidth usage for DNS queries.
- No internal domain information is hosted on the
DNS server, and the DNS server does not accept queries from external hosts.
This prevents attackers and other “curious” individuals from
performing zones transfers from the caching-only DNS server on the ISA firewall.
- You cannot use the DNS server on the ISA
firewall to provide an external zone for a split DNS infrastructure, since this
would expose the DNS server on the ISA firewall to external users. This DNS
server must not be exposed to external users because the caching-only DNS
server must be able to perform recursion, and you never want external users to
use your DNS server to perform recursion (allowing external users to perform
recursion using your DNS server can open it up to attack, and also can potentially
reduce available bandwidth).
- If you have a busy network, and a large number
of DNS queries make it to the ISA firewall, then the UDP connections to the ISA
firewall could potentially tax the ISA firewall’s resources available to
SecureNAT client connections. You should use the ISA Performance Monitor to
ascertain the number of DNS connections made to the ISA firewall and the number
of pending DNS resolutions and SecureNAT mappings to ascertain if DNS issues
may be negatively impacting your ISA firewall’s performance.
Locating a caching-only DNS server on the ISA firewall
The procedures required to locate a caching-only DNS server
on the ISA firewall include:
the DNS Server service on the ISA firewall
the DNS Server settings on the ISA firewall, including conditional
forwarding for internal domains
Access Rules on the ISA firewall to allow internal hosts to connect to the
ISA firewall using the DNS protocol
the clients to use the ISA firewall as their DNS server