The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 3

By /

If you would like to read the other parts in this article series please go to:
The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 1
The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 2
The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 4


In the first two parts of this definitive guide on outbound DNS and the ISA Firewall, we went over some of the basics of how the Domain Name Service works and then drilled down into the important topics of how ISA Firewall client types resolve Internet host names and Direct Access. In this, part 3 of the series, we’ll get into the detail of various outbound DNS scenarios used with the ISA Firewall.

Discuss this article

Outbound DNS Scenario 1: Resolver on the Domain Controller

Probably the most common scenario seen in a small or medium sized business is when the domain controller is used as the DNS resolver. In this scenario, the domain controller is authoritative for the internal domain names and performs recursion for names that it is not authoritative.

The figure below shows this type of DNS configuration where the DNS server on the domain controller is configured to resolve both Internal and external names.


Figure 1

The sequence of events in this scenario works like this:

  1. The client application needs to resolve the name www.microsoft.com to an IP address and sends a DNS query to the DNS resolver on the domain controller.
  2. The DNS server on the domain controller is not authoritative for the microsoft.com domain, so it has to go out to Internet DNS servers to perform recursion to resolve the name.
  3. The DNS server authoritative for the microsoft.com domain returns the IP address for the www.microsoft.com host.
  4. The DNS server on the domain controller caches the record for the amount of time listed on the record’s TTL and returns the result to the client. Once the client has the IP address of the www.microsoft.com host, it will then be able to connect to it.

There are several key requirements for Internet name resolution to work in this scenario:

  • The domain controller must be configured to resolve Internet host names. This requires that the DNS server have a list of Internet Root Servers that it can reach and that it is configured to perform recursion
  • There must be an Access Rule that allows the DNS server on the domain controller to have anonymous access to DNS servers on the default External ISA Firewall Network
  • The clients must be configured with the address of the Internal DNS server
  • The ISA Firewall’s internal interface must be configured to use the Internal DNS server and there must be no external DNS servers listed on any of the ISA Firewall’s interfaces. The internal interface must be listed on the top of the list of interfaces on the ISA Firewall

One of the most common phrases I utter on the ISAserver.org Web boards and mailing list is that when you have DNS problems, you need to configure the ISA Firewall to use a DNS server that can resolve both internal and external names. However, I usually leave it at that and don’t go into the details of how to do that. I’ll correct that omission here.

It’s easy to configure the DNS server to resolve both internal and external host names. There are two ways this can be done: allow the DNS server to perform recursion itself, or configure your DNS resolver to use a forwarder. In this example I’ll show you how to configure the DNS resolver to perform recursion itself.

In the figure below you see the DNS console and there are two Active Directory integrated DNS servers listed in the left pane of the console. Right click on one of the DNS servers that you want to use as a resolver to get to its Properties dialog box.


Figure 2

In the DNS resolver’s Properties dialog box, click on the Root Hints tab. On the Root Hints tab you should see a list of Internet Root Servers that the DNS server can use to begin the recursion process. If you don’t have this list of Internet Root DNS servers, then you’ll have to populate it yourself. Without this list of Internet Root DNS servers you won’t be able to perform recursion and if this machine is configured to perform only recursion to resolve Internet host names, then Internet host name resolution will fail.


Figure 3

In the DNS resolver’s Properties dialog box, click the Advanced tab. Make sure that there is no checkmark in the Disable recursion checkbox. You only want to enable this option when you’re publishing a DNS advertiser for your domain, as discussed in an earlier series on inbound DNS on this site.


Figure 4

Finally, click on the Forwarders tab of the DNS resolver’s Properties dialog box. Make sure that there is no checkmark in the Enable Forwarders checkbox. In this example we’re not using a forwarder, so we need to make sure the use of forwarders is disabled.


Figure 5

When the DNS server is configured to perform recursion, the next step is to make sure we have an Access Rule that allows anonymous access (does not require authentication) from the DNS servers to the default External ISA Firewall Network. The reason why we need to allow anonymous connections is that only the Firewall client can send authentication information for the DNS protocol to the ISA Firewall, and we never install the Firewall client on network servers; the Firewall client is only installed on network client systems. I usually make a Computer Set for the DNS servers and name the Computer Set DNS Servers, as you can see in the figure below.


Figure 6

Now you need to configure the ISA Firewall’s internal interface to be on the top of the Interface list, so that this interface’s configuration is used first when searching the DNS server list. Since we must use only internal DNS server and never external DNS servers, we need to put all the DNS servers we want to use on the internal network on the internal interface. There’s never a reason to put a DNS server on any other interface other than the internal interface. If you do put DNS servers addresses on any other interface, then you will slow down name resolution. In addition, if you put an external DNS server on any interface, you will likely break Active Directory communication for the ISA Firewall and authentication will fail when you try to reach the Internet.

In order to move the internal interface to the top of the interface list, open the Network Connections window and click the Advanced menu. Then click Advanced Settings.

Discuss this article


Figure 7

In the Advanced Settings dialog box, select the internal interface and use the arrow button to move the internal interface to the top of the interface list.


Figure 8

Now that the internal interface, which contains the list of internal DNS servers that can resolve both internal and external names, is at the top of the list, you’re good to go. That’s all there is to configuring the ISA Firewall and the DNS resolver so that both internal and external names can be resolved.

In general, I prefer to stay away from this scenario in high security environments. In a high security environment, servers never make connections to untrusted and anonymous servers on the Internet. Unfortunately, with DNS, in order to perform recursion, you must allow the DNS server to connect to untrusted and anonymous machines throughout the Internet. I recommend this solution only to companies that don’t have any other options, although as you’ll find out later, that’s rarely the case.

Outbound DNS Scenario 2: Caching Only DNS Server on Internal Network

In our second scenario we continue to allow the clients to use the domain controller as their DNS server, but we move the resolver role to a caching-only DNS server that’s located on the same internal network as the domain controller DNS server. In this configuration, the domain controller Active Directory integrated DNS server is authoritative for internal names, but uses the caching only DNS server to resolve Internet host name for which is it not authoritative.

There area actually two ways you can leverage the caching only DNS server in this scenario: in the first option you can configure the clients to use the Active Directory integrated DNS server as their DNS server and then configure the Active Directory integrated DNS server to use the caching only DNS server as its forwarder; the second option is to configure all the machines on the network to use the caching-only DNS server and configure the caching only DNS server to use conditional forwarding for the internal network domain.

The figure below shows the first option where the network clients (including the ISA Firewall) use the Active Directory integrated DNS server for their primary DNS server and the Active Directory integrated DNS server on the domain controller uses the caching only DNS server as its forwarder.


Figure 9

The following series of events are depicted in the figure above:

  1. An application on the client machine needs to resolve the name www.microsoft.com to its IP address. The DNS client software sends a DNS query for www.microsoft.com to the Active Directory integrated DNS server on the internal network
  2. The Active Directory integrated DNS server on the domain controller is not authoritative for the microsoft.com domain, so it forwards the request to the caching only DNS server by sending a DNS query for www.microsoft.com to the DNS forwarder.
  3. A caching only DNS server is not authoritative for any domains, so it begins the process of recursion to resolve the name www.microsoft.com to an IP address.
  4. The microsoft.com DNS server returns the IP address of the www.microsoft.com host to the caching only DNS server resolver.
  5. The caching only DNS server caches the results of the query and forwards the response to the Active Directory integrated DNS server on the domain controller.
  6. The Active Directory integrated DNS server caches the results and returns the response to the client that made the original request. At this point the client has the IP address of the www.microsoft.com host and is able to make a connection request for services.

While the configuration seems to make sense, it might not be the best way to deploy a caching only DNS server on the network. Why? Because when we use the Active Directory integrated DNS server as the primary DNS server for all clients on the network, that DNS server must endure all the DNS traffic in the network. In addition, we end up caching the results of the Internet host name queries on both the Active Directory integrated DNS and the caching only DNS server. It might be a better solution if we can reduce the duplication of efforts and reduce the amount of DNS query traffic directed to the Active Directory integrated DNS server, since the domain controller has other important network tasks to accomplish other than serving the results of DNS queries.

We can accomplish these goals by configuring the network clients to use the caching only DNS server as their primary DNS server. When we do that, the caching only DNS server will resolve Internet host names for Internet related connections and redirect users to the Active Directory integrated DNS server when a request comes in for names on the internal network.


Figure 10

The following describes the sequence of the events in the figure above:

  1. An application on the client needs to resolve the name www.microsoft.com. The DNS client software on the client system sends a DNS query to the caching only DNS server.
  2. Since the caching only DNS server is not authoritative for any domains, it performs recursion to discover the IP address of the host www.microsoft.com.
  3. The DNS server authoritative for the microsoft.com domain returns the IP address of the host www.microsoft.com to the caching only DNS server
  4. The caching only DNS server caches the result of the query, and then returns the IP address of the host www.microsoft.com to the client computer that made the original request. At this point the client system can make a connection request to the IP address for www.microsoft.com
  5. A client application on a machine on the internal network needs to connect to host on the internal network, such as www.internal.com. The DNS client software on the client system sends a DNS query for www.internal.com to the caching only DNS server.
  6. The caching only DNS server is not authoritative for any domains. However, the caching only DNS server is configured to perform conditional forwarding for the internal.com domain. The conditional forwarding tells the caching only DNS server to forward the DNS query to the Active Directory integrated DNS server.
  7. The Active Directory integrated DNS server returns the result to the caching only DNS server.
  8. The caching only DNS server caches the result and forwards the answer to the client making the original request. At this point the client application can connect to the IP address of the destination server.

As you can see, using the caching only DNS server as the primary DNS server not only offloads DNS query traffic for Internet hosts off the domain controller, it also offloads intradomain DNS query traffic off the domain controller because the caching only DNS server also caches the results of internal domain name queries. Not bad!

Requirements for this solution include:

  • DNS server on the internal network that is configured as a caching only DNS server
  • All clients are configured to use the caching only DNS server as there primary DNS server (this includes the ISA Firewall’s internal interface)
  • An Access Rule on the ISA Firewall that allows outbound access from the caching only DNS server to the default External Network for the DNS protocol
  • The ISA Firewall’s internal interface must be configured to use the Internal DNS server and there must be no external DNS servers listed on any of the ISA Firewall’s interfaces. The internal interface must be listed on the top of the list of interfaces on the ISA Firewall

We’ve already gone over the configuration options for making the internal interface of the ISA Firewall the top listed interface in the interface list. Remember, you never put an external DNS server address on any of the ISA Firewall’s interfaces. You only use internal DNS servers that can resolve both internal and external host names, and all those DNS servers are placed on the ISA Firewall’s internal interface.

To configure conditional forwarding on the caching only DNS server so that DNS queries for the internal domain go to the domain controller, open the DNS console and right click on the caching only DNS server’s name and click Properties. In the caching only DNS server’s Properties dialog box, click the Forwarders tab. On the Forwarders tab, click the New button.


Figure 11

In the New Forwarder dialog box, enter the internal domain name and click OK.


Figure 12

On the Forwarders tab, click on the new domain entry  in the DNS domain list. Enter the IP address of the Active Directory integrated DNS server in the Selected domain’s forwarder IP address list text box and click Add. The IP address will now appear in the list.


Figure 13

Notice that when you click on the All other DNS domains entry in the DNS domain list, there is no IP address listed. In this case, the DNS caching only server will perform recursion for all other DNS domains.


Figure 14

Discuss this article

Summary

In this article we went over the details of two common and important outbound DNS topology designs used with the ISA Firewall. In the next article we’ll finish up the series by covering two more important outbound DNS design scenarios. See you then! –Tom.

If you would like to read the other parts in this article series please go to:
The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 1
The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 2
The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 4

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top