ISA Firewall Question of the Day Sunday Edition: DNS and Firewall Clients
Hey Tom, I love the new site. Much more functional and faster than the last one. I just finished reading your DNS Best Practices article on your blog and thought maybe you could answer a question for me. I posted this on the forums but have been less than impressed with the responses.
I have a few Internet users configured to use only the Firewall Client with ISA 2004. When the user goes to any website such as www.google.com, there is roughly a few seconds delay and then the request goes through and the page is loaded. This does not happen with Web Proxy clients that can load the page immediately.
I performed a network capture of the request and it shows several DNS queries for www.google.com directed to our Internal DNS servers first, which currently fail as they cannot resolve external DNS queries, then the Firewall Client does its thing and the request goes through and the page loads.
After doing some research I see lots of people using forwarders on their Internal DNS servers to fix performance problems. I tried this in the lab and it definitely fixes the problem.
I simply want to know, is it normal behaviour for Firewall Clients to query the Internal DNS servers first, then use the control channel of the firewall client to perform the request?
Anything I read says no, but I cannot seem to find away to fix this...other than use DNS forwarding from our internal DNS servers. You help is greatly appreciated.
Thanks for the kind words about the site!
First, let's look at how things are supposed to work. When the Firewall client intercepts a connection request from the Winsock application, the name resolution is handled by the ISA Firewall and not the client system. After the ISA Firewall resolves the name of the destination site, the ISA Firewall then proxies the request to the destination host.
Second, Web proxy clients also have name resolution done by the ISA Firewall, and not by the client system. So both the Web proxy and Firewall clients allow the ISA Firewall to resolve host names on their behalf.
Because the ISA Firewall needs to resolve external host names, as well as internal host names (if the ISA Firewall is a domain member, which it should be for the highest level of security) you should configure the ISA Firewall to use an internal DNS server that can resolve both internal and external host names.
The primary reasons for using a forwarder are:
- Security You should avoid allowing internal DNS servers to contact untrusted DNS servers on the Internet. You can do this by creating a caching-only DNS server on the corporate network and using it as a forwarder
- Performance The idea here is that the forwarder will have a much larger cache than your own DNS servers, and therefore avoids the need to perform recursion to resolve the name, which can significantly improve performance if the forwarder is well-managed and is not overloaded to the extent the response times suffer
(NOTE: If you have an unsophisticated firewall, such as a PIX, in front of the ISA Firewall, you may need to configure it to support EDNS, or remove the unintelligent firewall)
The level of security and performance a DNS forwarder can provide depends on what device you use as your forwarder. Poorly managed ISPs will have not provisioned their DNS servers appropriately and you might find that using their machines as forwarders will actually slow down your name resolution attempts. On the other hand, a well-managed ISP will have high performance DNS server that can return responses much faster than one of your internal DNS servers (or internal caching-only forwarders) can perform recursion.
The same issues apply in regards to security. Many large ISPs use versions of BIND that are not secure and they have not taken any steps to fix the problem. In that case, you will want to use your own internal caching-only DNS server as a forwarder, although in this case, you will lose the benefits of the large cache on the ISPs DNS server, since in this scenario your own caching-only DNS server is going to perform recursion.
So, to answer your questions:
- A DNS forwarder can improve performance
- A DNS forwarder has no effect on how the Firewall client performs name resolution
- Firewall clients will allow the ISA Firewall to perform name resolution on their behalf
- Firewall clients will perform name resolution themselves for domain names listed on the Domain Name tab for the ISA Firewall Network -- This enables Direct Access for internal resources for Firewall clients
- Web proxy clients will always allow the ISA Firewall to perform name resolution on their behalf, except for those sites configured for Direct Access