Supporting Internet Host Name Resolution for ISA Server SecureNAT Clients
By Thomas W Shinder, M.D.
One of the more problematic situations small businesses running ISA Server firewalls run into is name resolution support for SecureNAT clients. Unlike the situation with Firewall and Web Proxy clients, where the ISA Server firewall resolves Internet host names on their behalf, the SecureNAT client must be able to resolve Internet host names themselves. If the SecureNAT client can’t resolve the name, the connection fails.
Even though ISA Server firewalls have been on the market for over two years, the same problem keeps coming up. For a long time I wondered why it was so hard to get the point across that the SecureNAT client must be configured with the address of a DNS server that can resolve Internet host names.
The answer was staring me right in the face. The problem was that I was too "close" to ISA Server firewalls and how they work. This "over familiarity" with the ISA firewall prevented me from fully appreciating the problem.
Comparing ISA Server Firewalls with the Routing and Remote Access Service Network Address Translation Server (RRAS NAT)
To better understand the problem, let’s compare the RRAS NAT service with ISA Server firewalls.
When you configure the RRAS NAT service, you add an internal and external interface. After you add the internal and external interfaces, you have the option to enable the DHCP allocator. The DHCP allocator acts like a mini-DHCP server and assigns IP addresses to the internal network clients.
The DHCP allocator makes is easy for small businesses to connect computers on their single-subnet network to the Internet. The DHCP client computers on the network are assigned an IP address, subnet mask and default gateway by the DHCP allocator. The default gateway is set to the internal IP address of the RRAS NAT server.
Setting the default gateway address to the internal interface of the RRAS NAT server allows computers on the internal network to automatically send all Internet-bound requests to the internal interface of the RRAS NAT server.
However, there is one more thing the RRAS NAT service does. You can configure the RRAS NAT to act as a DNS proxy. When you configure the RRAS NAT to perform DNS proxy, the DHCP allocator assigns computers on the internal network a DNS server address that is an internal IP address on the RRAS NAT server.
Internal network computers forward DNS queries to the RRAS NAT server. The RRAS NAT server resolves the name and forwards the result to the computer on the internal network. The computer on the internal network can connect to the Internet server after it receives the name resolution.
ISA Server firewalls don’t have a DHCP allocator and they can’t perform DNS proxy name resolution for SecureNAT clients. SecureNAT clients depend on you providing them an IP address of a DNS server that can resolve Internet host names.
DNS Options for SecureNAT Clients
There are several DNS options available to SecureNAT clients allowing them to resolve Internet host names:
- Configure a DNS server on the internal network to resolve Internet host names and configure the SecureNAT clients to use this DNS server
Most Windows networks have at least one Windows 2000 or Windows Server 2003 domain controller on the internal network. If you are running an Active Directory domain, that domain controller must be configured to use a DNS server that hosts Active Directory related records. If you have a single domain controller, then that domain controller most likely hosts your DNS server.
Even if you are using another DNS server on the internal network to support your Active Directory domain, that DNS server can be configured to resolve Internet host names. All Microsoft DNS servers can be configured to resolve Internet host names either by performing recursion themselves, or by using a Forwarder. A forwarder is generally a more secure solution because your internal DNS server will only need to contact your ISP’s DNS server.
- Create a DNS Protocol Rule and then configure SecureNAT clients to use your ISP’s DNS server
Some networks do not have a DNS server that can resolve Internet host names. You may have a network with a DNS server installed to support your Active Directory domain but you do not want jeopardize security by allowing it to communicate with external DNS servers. Or your network may be running as a workgroup and you have no DNS servers on your network and you do not need one.
You can configure your SecureNAT clients to use your ISP as their DNS server. You can either manually configure the DNS server address on the SecureNAT clients, or you can use DHCP to assign the internal network SecureNAT clients a DNS server address that is the address of your ISP’s DNS server. You next create a Protocol Rule allowing your SecureNAT clients outbound access to the DNS query and DNS zone transfer protocols (TCP and UDP ports 53).
- Configure a caching-only DNS server on the ISA Server firewall
Your third option is to install a caching-only DNS server on the ISA Server firewall itself. This most closely mirrors how the RRAS NAT works. SecureNAT clients can be configured to use the internal IP address on the ISA Server firewall as their DNS server. The caching-only DNS server resolves names for SecureNAT clients, caches the results, and sends the answers to the SecureNAT clients. This is completely secure because you don’t host any records for your internal network domain on the caching-only DNS server.
Advantages of the Caching-only DNS Server Solution
I consider the third option the best DNS host name resolution solution for almost all businesses. The advantages of the caching-only DNS server on the ISA Server firewall itself include:
- Enhanced Security
The caching-only DNS server is secure because is doesn’t contain any internal or external zones. The only DNS records on the caching-only DNS server are those the DNS server has cached. No information about your internal network is contained on this server. External users will not be able to use DNS exploits to transfer information about your DNS zones.
The caching-only DNS server can resolve names by performing recursion itself, or by using one or more DNS forwarders. You can further enhance security by configuring it to use only use your ISP’s DNS servers as forwarders. This allows your caching-only DNS server to resolve Internet host names without contacting untrusted Internet DNS servers.
- Simple configuration and management
Unlike DNS servers hosting your internal and external zones, the caching-only DNS server contains no zone information. You don’t have to worry about maintaining internal or external zone information, you don’t’ have to worry about dynamic DNS updates, and you don’t have to worry about backing up zone data or configuring secondary DNS servers. You install the caching-only DNS server on the ISA Server firewall and it runs itself. There is no DNS zone information stored on the server so it never gets corrupted.
- Supports networks with and without an internal DNS infrastructure
The caching-only DNS server on the ISA Server firewall is the perfect solution for the small network that doesn’t have a DNS server and doesn’t need one. Internal names can be resolved via NetBIOS broadcasts. External names are resolved by the caching-only DNS server
More complex networks that already have a DNS server infrastructure in place also benefit from using the ISA Server firewall’s caching-only DNS server.
For example, you may already have DNS servers in place on the internal network that are configured to resolve Internet host names. These machines may be using a forwarder or they might perform recursion themselves. Just configure these machines to use the caching-only DNS server on the ISA Server firewall as their forwarder. This improves the security on your internal DNS servers because then they do not need to contact any external DNS servers.
Networks that already have a DNS infrastructure in place may wish to configure all computers on the network to use the DNS caching-only server as their DNS server. The caching-only DNS server can then use conditional forwarding or stub zones to support internal network name resolution. Conditional forwarding is available only with Windows Server 2003. Although Windows Server 2003 simplifies creating stub zones, you can manually create stub zones on any DNS server.
Because I think the caching-only DNS server solution is so cool, I’m going to show you how to do it! You need to do the following to make it work:
Let’s do it.
Installing the DNS Server Service on the ISA Server Firewall/VPN Server
Perform the following steps on the ISA Server firewall/VPN server to configure the caching-only DNS server:
- Click Start and point to Control Panel. Click the Add or Remove Programs entry in the list. In the Add or Remove Programs window, click on the Add/Remove Windows Components button on the left side of the window.
- In the Windows Components dialog box, select the Network Services entry in the Components list (but do not put a checkmark in the checkbox!). Then click the Details button.
- In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox. Click OK.
- Click Next in the Windows Components dialog box.
- Click Finish on the Completing the Windows Components Wizard dialog box after the DNS server service is installed.
You do not need to restart the ISA Server firewall. The next step is to configure the caching-only DNS server to use a forwarder. I’ll also discuss the subject of recursion.
Configuring DNS Forwarders, Recursion and the Root Hints File
The most secure configuration for your caching-only DNS server is to use your ISP’s DNS server. There are several advantages to using your ISP’s DNS server as a forwarder:
In almost all circumstances using your ISP’s DNS server as a forwarder is the best configuration for your caching-only DNS server. However, if you do not trust your ISP’s DNS server, or if you have had negative experiences with their DNS servers, you can configure the caching-only DNS server on the ISA Server firewall/VPN server to perform recursion and contact Internet DNS servers directly to resolve Internet DNS host names.
I’ll discuss both options:
- In the DNS Management console, right click on your server name and click the Properties command.
- In the DNS server Properties dialog box, click on the Interfaces tab. Select the Only the following IP addresses option. We want the caching-only DNS server to listen for DNS queries on its internal interface only.
Click on an address that is not bound to the internal interface of the ISA Server firewall, then click Remove. Repeat this for all addresses not bound to the internal interface. If you have multiple addresses bound to the internal interface, remove all but one of them and use that address.
- Only a single IP address, bound to the internal interface of the ISA Server firewall server should be seen on the list of listening IP addresses.
- Click on the Forwarders tab. Type the IP address of your ISP’s DNS server in the Selected domain’s forwarder IP address list text box and then click Add. The address will then appear in the list of forwarder IP addresses. Your ISP should have at least two public DNS servers. Enter both of those addresses to your list of forwarders.
Put a checkmark in the Do not use recursion for this domain checkbox. This prevents the caching-only DNS server from using information in its Root Hints file to perform recursion on its own. The point of using a forwarder in our scenario is to prevent the caching-only DNS server from contacting "untrusted" DNS servers.
Click Apply after entering your forwarders and enabling the checkbox.
- Click on the Advanced tab. Note the Disable recursion (also disables forwarders) option. Do not enable this option. If you enable this option, the caching-only DNS server won’t be able to resolve Internet DNS host names. This option forces the DNS server to answer DNS queries only for domains that it’s authoritative. Since this is a caching-only DNS server, it’s not authoritative for any domains.
- Click on the Root Hints tab. Here is a list of Internet Root DNS servers in the Name servers frame. The DNS server can use this list of Internet Root DNS servers to perform recursion on its own without the aid of a forwarder.
You might consider recursion as a backup method. I prefer to use multiple DNS forwarders, perhaps with different ISPs that I have a relationship with as a preferred back method..
- The caching-only DNS server is ready to use. You do not need to restart the DNS Server service or the ISA Server firewall/VPN server computers. Let the DNS server run for a while so that it has the chance to resolve some Internet host names for internal network clients. Then return to the DNS console. Right click on the server name and point to View. Click on the Advanced command. This will expose the Cached Lookups node in the left pane of the console.
The final step is to create a packet filter supporting DNS queries that use TCP instead of UDP.
Creating a DNS Zone Transfer Packet Filter (TCP Port 53)
The IIS SMTP service uses TCP instead of UDP as the default transport protocol for DNS queries. Even outside of the IIS SMTP service, it is normal for DNS queries to use TCP when the data in the DNS message does not fit into a single UDP packet.
Perform the following steps to create a packet filter to support the use of TCP port 53 for DNS queries:
- In the ISA Management console, expand your server name and then expand the Access Policy node. Right click on the IP Packet Filters node, point to New and click on Filter.
- Type in a name for the packet filter in the Welcome to the New IP Packet Filter Wizard dialog box. In this example we’ll call it DNS (TCP). Click Next.
- Select Allow packet transmission on the Filter Mode page. Click Next.
- Select the Custom option on the Filter Type page. Click Next.
- On the Filter Settings page, configure the following settings:
IP protocol: TCP
Local Port: All ports
Remote port: Fixed port
- Select the Default IP addresses for each external interface of the ISA Server computer option on the Local Computer page and click Next.
- Select the All remote computers option on the Remote Computers page and click Next.
- Review your settings on the Completing the New IP Packet Filter Wizard page. Click Finish.
Close the command prompt. The ISA Server firewall/VPN Server can now resolve Internet Host names using the caching only DNS server.
In this article we went over the problems that SecureNAT clients have with resolving Internet host names. Several options were presented and the caching-only DNS server on the ISA Server firewall was determined to be best. Then we went over the step by step procedures to make the whole thing work.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=8;t=000505 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update'
by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!