ISA Server 2004 blocking outgoing DNS

Discussion in 'Windows Small Business Server' started by Karl Middleton, Aug 7, 2005.

  1. Hi NG,

    Still more ISA server 2004 woes.

    After working fine for 3 days, the ISA Server 2004 now seems to be blocking
    DNS requests to the ISP's DNS server for resolving external addresses.

    I can't see which rules are affecting this.

    Stopping and restarting DNS and Netlogon briefly lets it work for a few
    minutes but then it stops again.

    Where do I look in ISA 2004 to fix this?

    Karl from Oz
    Karl Middleton, Aug 7, 2005
    1. Advertisements

  2. Why do you think that? What errors?

    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Aug 7, 2005
    1. Advertisements

  3. "Why do I think that".... because it doesn't work, that's why.

    A ping of an external address doesn't resolve the name so the ping fails. In
    the event log, the SMTP service is failing with errors stating that it can't
    resolve names. Using IE gives an error page from ISA server where it states
    that it believes it is a DNS error. So it is walking like a duck, quacking
    like a duck so it must be........ a duck? In other words all the diagnostic
    messages are saying or pointing to external name resolution problems

    Opening up the firewall rules list and showing system policies shows the DNS
    rule as set with all networks having access (internal, localhost, and
    external). Turning on the monitoring shows the attempt to resolve to the ISP
    DNS IP address but no result. The Netgear ADSL modem/router/firewall is
    configured to port forward everything to the SBS box and there are NO
    outgoing filters set and no intrusion detection or portscan filters set: in
    other words it is passive. Rebooting the server and/or the modem makes
    little difference. Occasionally it seems that the odd resolution gets
    through because we might get half a web page but then it fails with the ISA
    error stating that DNS appears not to be working.

    What do I look for in ISA 2004 to confirm or otherwise that DNS is getting
    out? I am unfamiliar with its logs and messages so do not yet know what is
    "normal" behaviour.


    Karl from Oz
    Karl Middleton, Aug 8, 2005
  4. I think you're barking up the wrong tree, sounds to me like ISA is allowing
    the DNS queries but either the ISPs DNS servers are flakey or there is a
    problem relating to EDNS0 queries.

    first I'd try the work around from
    DNS query responses do not travel through a firewall in Windows Server 2003;en-us;828263&Product=winsvr2003

    then maybe try running the CEICW and putting the router's IP address in as
    the DNS answer.

    or maybe remove the forwarders from the DNS console completely and rely on
    'root hints'.

    EDNS0 is the most likely candidate.

    SuperGumby [SBS MVP], Aug 8, 2005
  5. SuperGumby, you are right!

    The problem is solved. It turns out that the ISP had a problem where two
    sites in their system had the same static IP address: ours. We chose to get
    them to change our static IP address to something different rather than wait
    for them to track down where and how the second device/host was using our IP
    address. Lord knows how the routing worked to allow us to VPN in but not DNS
    out of the server! They are now updating our DNS entries for hostname and MX
    records so we will be without mail for about 24 hours while that propogates
    to the big wide world.

    Turns out the logs ISA was giving out were showing as healthy but given the
    devil's job we had trying to get it working we were unsure if things were
    OK. ISA and SBS was doing the right thing and forwarding the DNS query but
    the ISP was not getting it. Most likely the phantom on the second copy of
    our IP address was getting the reply and probably thought it was under a
    spoof attack!

    Thanks for taking the time to reply.

    Karl from Oz

    Karl Middleton, Aug 8, 2005
  6. dunno how that makes me right but I'm glad to hear you have resolved the
    SuperGumby [SBS MVP], Aug 8, 2005
  7. You were right 'cos is was an ISP DNS issue!

    You are in Melbourne, Australia, right?

    I owe you a beer!

    Karl from Oz
    Karl Middleton, Aug 8, 2005
  8. Sydney AU, so if you're ever in Lane Cove it's your shout. :)
    I can often be found during the evening in The Longueville Hotel, just ask
    for Mick Malloy. The barmaid's will take your money and reserve the glass if
    I'm not there.

    HINT: Never joke about an offer of alchohol to an MVP. There are some
    things, only important ones, we take seriously :)
    SuperGumby [SBS MVP], Aug 8, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.