Running a DNS Server on the ISA Server
By Thomas W Shinder M.D.
A question that comes up quite a bit on these boards is how to run a DNS server on the ISA Server itself. I’m always a bit curious as to why someone would want to run this kind of configuration. A firewall is a security device, and adding services to the firewall machine only serves to weaken the firewall. However, many people seem to be willing to compromise on this issue. Because of that, I decided to document a procedure you can use to install and configure a DNS server on the ISA Server machine.
What are some reasons to run a DNS server on the ISA Server itself? Some I can think of include:
Note that I’m not including the situation where the ISA Server is acting as a secondary DNS Server for an internal network domain. I leave this out because its not a defensible configuration. While you might be able to make an argument for putting up a DNS server on an ISA Server for the reasons in the list, I can’t see any rationale for putting a secondary DNS server on the ISA Server.
If you’re stuck with Small Business Server or if you’re configuring the ISA Server in its own domain (and creating a one-way trust with the internal network domain), then the ISA Server is a domain controller and you need to make the ISA Server a domain controller and a DNS server. For help on installing a ISA Server on a domain controller, check out my article on this subject at http://www.isaserver.org/pages/article.asp?id=204 for all the details.
In this article we’ll take a look at how to install a DNS server that’s authoritative for your publicly accessible domains on the ISA Server, and how to install a caching-only DNS server on the ISA Server.
Running a Caching-only DNS Server on the ISA Server
If you want to run a DNS server on the ISA Server, the caching-only DNS configuration is probably the most legitimate reason to do so. A caching only DNS server does not contain any zone data. Internal network clients use the caching-only DNS server to resolve requests on their behalf. Workstations and servers can use the caching-only DNS server as their preferred DNS server, and internal network DNS servers can use the caching-only DNS server as a Forwarder.
In this scenario the machine is configured as a domain member in the internal network domain. The ISA Server software is already installed. There is an "all open" Protocol Rule and the default Site and Content Rule is the only active Site and Content Rule. Packet filtering is enabled.
Perform the following steps to install and configure the caching-only DNS server on the ISA Server computer:
- Click Start and point to Settings. Click on Control Panel.
- In the Control Panel open the Add/Remove Programs applet.
- In the Add/Remove Programs window, click on the Add/Remove Windows Components button.
- In the Windows Components Wizard window, double click on the Network Services entry.
- In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox. Do not select any other networking service. Click OK.
- Click Next in the Windows Components dialog box.
- Click Finish on the Completing the Windows Components Wizard page.
- Click Start, point to Programs and then point to Administrative Tools. Click on the DNS command to open the DNS console.
- In the DNS console, notice that there are no forward or reverse lookup zones. Right click on your server name, point to View and click on the Advanced command. Now you’ll be able to see the Cached Lookups that this server has carried out.
- Right click on the Server name and click the Properties command.
- On the Server’s Properties dialog box, click on the Interfaces tab. Select the Only the following IP addresses option. Select the IP address on the external interface of the ISA Server and click the Remove command. This removes the external IP address from listening for DNS queries. You only want this DNS server to listen for DNS queries on the internal interface. Click Apply.
- If you have a good and reliable ISP that does a good job with their DNS servers, you might want to configure your caching-only DNS server to use your ISP’s DNS server as a Forwarder. If so, click on the Forwarders tab.
- On the Forwarders tab, put a checkmark in the Enable forwarders checkbox. Type in the IP addresses or your ISP’s DNS servers and click the Add button. Make sure to put a checkmark in the Do not use recursion checkbox. If you let your caching-only DNS server perform recursion after a server failure from the forwarder, you’re only slowing things down. Click Apply and then click OK.
- Change the preferred DNS setting on the internal network clients to use the internal IP address of the ISA Server for their DNS server. If you’re using an internal network DNS server, then configure the clients to use the internal network DNS serve and configure the internal network DNS servers to use the internal IP address of the ISA Server as their forwarder.
You can now test your caching-only DNS server. Go to an internal network client and run the nslookup command from the command prompt. For example, run nslookup www.zdnet.com. You should get a response that looks like what you see below. The reason why the answer is Non-authoritative is that the answer was returned from the cache of your caching-only DNS server. Visit a few Web sites while you’re at the internal network client.
Go back to the DNS server and look in the DNS console. Refresh the view and expand the nodes in the Cached Lookups node in left pane of the DNS console. You should see many successful cached lookups in your caching-only DNS server. That’s all there’s to it! Creating a caching-only DNS server is easy. However, keep in mind that if you restart the server or the DNS server services, the entire contents of the DNS cache will be lost.
Publishing a Public DNS Server
The other reason why you would want to put a DNS server on the ISA Server itself is if you want to publish a public access DNS server. There are two ways you can make the DNS Server on the ISA Server available to external network clients:
There isn’t too much difference between the Server Publishing and the Packet Filtering approach other than the DNS Application Filter isn’t applied when you use packet filters and you can’t use client address sets to control access with packet filters. The latter issue isn’t important for a public access DNS sever but the DNS application filter is nice to have, so I prefer the Server Publishing approach.
Perform the follow steps to publish a public DNS server on the ISA Server computer:
- Install and configure the DNS server in the same way we did it in steps 1 through 11 above. The installation and DNS listener configuration is exactly the same.
- You do not want this server performing recursion for external users. Allowing your public access DNS server to perform recursion is a significant security risk. Make sure that the DNS server is not configured to use a Forwarder. Remove the checkmark from the Enable forwarders checkbox.
- Click on the Advanced tab. Put a checkmark in the Disable recursion checkbox. Also put a checkmark in the Secure cache against pollution checkbox. Click Apply and then click OK. The disable recursion option prevents the DNS server from resolving DNS queries for domains that its not authoritative. The secure cache against pollution option protects the server from cache poisoning attacks.
- Now that the DNS server is configured, we can publish it with a Server Publishing Rule. Open the ISA Management console and expand your server name. Expand the Publishing node. Right click the Server Publishing Rules node and point to New and click Rule.
- On the Welcome to the New Server Publishing Rule Wizard page, type in the name of the rule – we’ll call this first on DNS Query Server. Click Next.
- On the Address Mapping page, put in the internal IP address in the IP address of the internal server text box, and the IP address of the external interface of the ISA Server in the External IP address on ISA Server text box. Click Next.
- On the Protocol Settings page, select the DNS Query Server protocol and click Next.
- On the Client Type page, select the Any request option and click Next.
- Repeat the steps for creating the Server Publishing Rule, but this time name it DNS Zone Transfer and use the DNS Zone Transfer protocol. You should end up with two Server Publishing Rules, as seen in the figure below.
Publishing a DNS server using packet filters is done a little differently. In this case, you want the DNS server to listen on the external interface instead of the internal interface. After you configure the DNS server to listen on the external interface, you create packet filters to allow incoming DNS queries.
ISA Server Alert
Keep in mind that when you publish the public DNS server on the ISA Server itself, the internal network clients will not be using this server to resolve Internet host names. The only names this DNS server will be able to resolve are names for your publicly accessible sites. Internal network clients should not need to use this server to resolve names.
Perform the following steps to publish the public DNS server on the ISA Server machine by using packet filters:
- Use steps 1 through 10 as described in settings up the caching only server. This will take you to server Properties dialog box.
- On the Interfaces tab, select the Only the following IP addresses option. Select the internal IP address of the ISA Server and click Remove. You want the DNS server to listen only on the external IP address. Click Apply.
- Click the Forwarders tab. Make sure the server does not use Forwarders.
- Click the Advanced tab. Make sure the Disable recursion and Secure cache against pollution are selected.
- Click OK in the DNS Properties dialog box.
- Open the ISA Management console. Expand your server name and then expand the Access Policy node. Right click the IP Packet Filters node, point to New and click Filter.
- On the Welcome to the New IP Packet Filter Wizard page, type in the name of the filter. In this example, we’ll call it DNS Query. Click Next.
- On the Filter Mode page, select the Allow packet transmission option and click Next.
- On the Filter Type page, select the Custom option and click Next.
- On the Filter Settings page, select the UDP protocol. Configure the Direction for Receive send. The Local port is a Fixed port and should be set for 53. The Remote port should be set for All ports. Click Next.
- On the Local Computer page, select the Default IP addresses for each external interface on the ISA Server computer option if you have a single IP address bound to the external interface. Click Next.
- On the Remote Computers page, select the All remote computers option and click Next.
- Click Finish on the Completing the New IP Packet Filter Wizard page.
- Now create a second packet filter, but this time make it for TCP 53 instead of UDP 53. That will allow for DNS zone transfers and help out with MX record queries.
While I generally recommend against installing extraneous services on the ISA Server computer, there are times when you might want to consider installing a DNS server on the ISA Server itself. In this article we focused on how to install a DNS server on the ISA Server for the purposes of creating a caching-only DNS server and publishing a public access DNS server. We didn't go over how to configure a DNS server associated with a domain controller on the ISA Server because I've covered that in another article.
The DNS caching-only server can be used by internal network workstations and server as their preferred DNS server, or you can configure your internal network DNS servers to use the caching-only DNS server as their forwarder. The caching-only DNS server caches the results of queries made by hosts on the internal network. If you have a reliable and high performance DNS server run by your ISP, you might want to use that server as a Forwarder for your caching-only server.
You can publish a public access DNS server on the ISA Server itself. There are two ways to publish services on the ISA Server: using packet filters or using Protocol Rules. Protocol Rules allow you to leverage the DNS Application Filter so that's the preferred way of making the DNS server available to the public.
If you have any questions or comments on this article, let me know! Write to me at [email protected] and I'll see what I can do to help clear things up for you. Thanks! --Tom.