The Definitive Guide to ISA Firewall Outbound DNS Scenarios Part 4

If you would like to read the other parts in this article series please go to:

Outbound DNS Scenario 3: Caching only DNS resolvers in DMZ and Internal Network

Another option for high security environments is to use two caching only DNS servers. In these high security environments, you want to prevent any outbound connections from internal network servers to untrusted hosts on the Internet. In order to do this, you will need to use two caching only DNS servers – one of the caching only DNS servers is located on the corporate network (most likely in a network services segment) and the second caching only DNS server is located in an ISA Firewall DMZ. The philosophy behind this approach is that the caching only DNS server in the DMZ is a closely monitored corporate resource, and thus belongs to a much more trusted security zone than anonymous DNS servers located throughout the Internet that must be contacted during DNS recursion.

Discuss this article

The first figure below shows how you might set up such a solution.


Figure 1

The following sequence of events describes what happens in the figure above:

  1. A client application on a client system on the internal network needs to access resources on www.microsoft.com. The DNS client software formulates a DNS query and sends the DNS query request to the caching only DNS server on the internal network.
  2. The caching only DNS server on the internal network is configured to use the caching only DNS server as a forwarder, so it sends a DNS query request for www.microsoft.com to the caching only DNS server in the DMZ.
  3. The caching only DNS server in the DMZ is not authoritative for the microsoft.com domain, so it performs recursion to get the IP address for www.microsoft.com host.
  4. The microsoft.com DNS server responds to the caching only DNS server in the DMZ and sends the IP address for www.microsoft.com to the caching only DNS server.
  5. The caching only DNS server in the DMZ caches the result and sends the information to the caching only DNS server on the internal network.
  6. The caching only DNS server in the internal network caches the result and forwards the information to the client that made the original request.
  7. A client application needs to connect to a resource on the internal network. The DNS client software on the client system formulates a DNS query request and sends it to the caching only DNS server on the internal network. The caching only DNS server is not authoritative for the internal network domain, but it is configured to conditionally forward requests for the internal domain to the Active Directory integrated DNS server on the internal network.
  8. The caching only DNS server on the internal network forwards the request to the Active Directory integrated DNS server on the internal network.
  9. The Active Directory integrated DNS server sends the answer to the DNS query to the caching only DNS server on the internal network.
  10. The caching only DNS server on the internal network caches the result and returns the information to the client that made the original request. The client will be able to connect to the internal resource now that it has the IP address of that host.

You’ll notice in this configuration that there is redundancy in the DNS cache between the caching only DNS server in the DMZ and the caching only DNS server in the internal network. This is a small price to pay for the added security gained by this type of implementation.

Requirements for this solution are similar to the previous solution:

  • DNS server on the internal network that is configured as a caching only DNS server
  • DNS server on the DMZ network that is configured as a caching only DNS server
  • Caching only DNS server on the internal network is configured to use the caching only DNS server on the DMZ as its forwarder
  • All clients are configured to use the caching only DNS server on the internal network as their primary DNS server (this includes the ISA Firewall’s internal interface)
  • An Access Rule on the ISA Firewall that allows outbound access from the caching only DNS server to the IP address of the caching only DNS server on the DMZ for the DNS protocol
  • An Access Rule on the ISA Firewall that allows outbound access from the caching only DNS server to the default External Network for the DNS protocol
  • The ISA Firewall’s internal interface must be configured to use the Internal caching only DNS server and there must be no external DNS servers listed on any of the ISA Firewall’s interfaces. The internal interface must be listed on the top of the list of interfaces on the ISA Firewall

We havve already discussed how to configure most of these options except for how to configure the forwarder for “all other domains” in a Windows Server 2003 DNS server and above. It is quite simple and works the same way as we did with our conditional forwarder for the internal domain.

Discuss this article

The figure below shows how to set this up. In the DNS domain list, click the All other DNS domains entry and then enter an IP address for the caching only DNS server(s) in the DMZ in the Selected domain’s forwarder IP address list text box. Something to note here is whether or not you want to allow recursion when the DNS forwarder in the DMZ  becomes unavailable. Since this design is a security solution, you will want to select the option Do not use recursion for this domain because you do not want this DNS server to contact anonymous DNS servers. In addition, the internal network caching only DNS server does not have an access rule that will allow it to perform recursion, so you will just get time outs anyhow.


Figure 2

Outbound DNS Scenario 4: Caching Only DNS Server on the ISA Firewall

This caching only DNS server configuration is similar to the previous scenario. The primary difference is that there is a single DNS server (thus, no fault tolerance) and the DNS server is on the ISA Firewall itself. This is an option for organizations who do not have the resources to deploy a dedicated caching only DNS server on a separate machine.


Figure 3

The following sequence of events describes what happens in the figure above:

  1. A client application on a client system on the internal network needs to access resources on www.microsoft.com. The DNS client software formulates a DNS query and sends the DNS query request to the caching only DNS server on the internal network.
  2. The caching only DNS server on the ISA Firewall is configured to perform recursion and contacts DNS servers on the Internet.
  3. The microsoft.com DNS server responds to the caching only DNS server on the ISA Firewall and sends the IP address for www.microsoft.com to the caching only DNS server.
  4. The caching only DNS server on the ISA Firewall caches the result and sends the information to the client which made the original request.
  5. A client application needs to connect to a resource on the internal network. The DNS client software on the client system formulates a DNS query request and sends it to the caching only DNS server on the ISA Firewall. The caching only DNS server is not authoritative for the internal network domain, but it is configured to conditionally forward requests for the internal domain to the Active Directory integrated DNS server on the internal network.
  6. The caching only DNS server on the ISA Firewall forwards the request to the Active Directory integrated DNS server on the internal network.
  7. The Active Directory integrated DNS server sends the answer to the DNS query to the caching only DNS server on the internal network.
  8. The caching only DNS server on the internal network caches the result and returns the information to the client which made the original request. The client will be able to connect to the internal resource now that it has the IP address of that host.

Requirements for this solution are similar to the previous solution:

  • DNS server on the ISA Firewall is configured as a caching only DNS server
  • The caching only DNS server on the ISA Firewall is configured to listen on a specific IP address on the internal interface of the ISA Firewall
  • All clients are configured to use the caching only DNS server on the ISA Firewall as their primary DNS server (this includes the ISA Firewall’s internal interface DNS settings)
  • An Access Rule on the ISA Firewall that allows outbound access from internal network clients to the IP address on the internal interface of the ISA Firewall on which the DNS service is listening
  • An Access Rule on the ISA Firewall that allows outbound access from the ISA Firewall’s local host network to the internal DNS server
  • The ISA Firewall’s internal interface must be configured to use itself as its caching only DNS server and there must be no external DNS servers listed on any of the ISA Firewall’s interfaces. The internal interface must be listed on the top of the list of interfaces on the ISA Firewall

The caching only DNS server on the ISA Firewall itself is an attractive alternative for organizations who are cash-strapped but want the secure and performance enhancements that a dedicated DNS caching only server can provide.

Discuss this article

Summary

In this article series on outbound DNS scenarios we focused on a variety of outbound DNS configurations that you can use to resolve Internet host names. Outbound DNS scenarios are quite different from inbound DNS scenarios. While inbound DNS scenarios are all about publishing DNS servers so that external users can resolve names for resources that you make available to the public, the outbound DNS scenario is all about host name resolution. In most cases, you need to configure your outbound DNS scenario to support host name resolution for both internal and external clients. Each of the scenarios in this article series provided guidance for creating an outbound DNS topology that supports both internal and Internet host name resolution. I hope this series helped you in your understanding in how the ISA Firewall handles DNS issues and that it helps you optimize your current DNS infrastructure. –Tom.

If you would like to read the other parts in this article series please go to:

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top