Question:
Recently we have experienced a slowdown in resolving names. Our DNS Server uses a forwarder to our ISP. When I connect to the ISP’s modem directly there is no problem resolving addresses (eg nslookup www.microsoft.com) so the problem does not appear to be our ISP’s DNS servers.
When I do the same from either the ISA Server, the DNS server or a client workstation behind the ISA server I cannot resolve. If I remove the forwarder and rely solely on root hints everything works fine.
On the ISA server I have a
1. packet filter for DNS lookup
2. protocol rule with selected protocols DNS Query and DNS Query Server
1. packet filter for DNS lookup
2. protocol rule with selected protocols DNS Query and DNS Query Server
All of the above worked well until a few weeks ago. There are no events on the DNS Server or ISA Server that seem to relate to the problem.
Why would ISA block a DNS Server from using forwarders but allow resolution of a DNS query via root hints?
Answer:
What DNS server are you using? Is this a native Windows 2000 or 2003 DNS server? Is the DNS server inside/behind the ISA server? And, I assume you are forwarding to the same ISP DNS server that you verified works correctly by querying it directly from outside the ISA server.
Have you tried querying the ISP DNS server directly by using nslookup on various machines behind the ISA server (a client, the DNS server, the ISA server itself)? Do this with the "server w.z.y.z" command in nslookup, and specify the IP address of the remote server, not it’s name.
Aside from the destination of the lookups, there is very little difference between the DNS queries sent to a forwarder, and those sent to the root servers and other remote nameservers. The main difference is the "RD" bit (recursion desired). It is unlikely that ISA would be concerned by that bit. Still, you can simulate that by sending a non-recursive query through nslookup (set norecurse). If you do that, and tell nslookup to use ISP DNS server (using the server command), and also enable detailed debugging (set d2), you should see if you get some sort of answers back, and then try a recursive query (set recurse) and see if you get an answer from that. This might help you diagnose if ISA is interfering with resursive queries.
Have you tried querying the ISP DNS server directly by using nslookup on various machines behind the ISA server (a client, the DNS server, the ISA server itself)? Do this with the "server w.z.y.z" command in nslookup, and specify the IP address of the remote server, not it’s name.
Aside from the destination of the lookups, there is very little difference between the DNS queries sent to a forwarder, and those sent to the root servers and other remote nameservers. The main difference is the "RD" bit (recursion desired). It is unlikely that ISA would be concerned by that bit. Still, you can simulate that by sending a non-recursive query through nslookup (set norecurse). If you do that, and tell nslookup to use ISP DNS server (using the server command), and also enable detailed debugging (set d2), you should see if you get some sort of answers back, and then try a recursive query (set recurse) and see if you get an answer from that. This might help you diagnose if ISA is interfering with resursive queries.