STEP 2: Installing and Configuring a DNS Server on the ISA Server Firewall

  • Article

You should install a DNS server on the ISA Server 2004 firewall computer. This enables machines on your network to perform Internet host name resolution. Computers must be able to resolve names of Internet servers in order to contact computers not located on the internal network. Even if you already have a DNS server located on the internal network, you should configure the ISA Server 2004 firewall computer as a caching-only DNS server and configure computers on the internal network to use the ISA Server 2004 machine as their DNS server.

Installing the DNS Service

The DNS Server service is not installed by default on Windows server operating systems. Procedures for installing the DNS Server service on Windows 2000 Server and Windows Server 2003 machines are very similar. We will discuss the installation procedures for Windows 2000 Server and Windows Server 2003 separately in this section.

Note

These steps are performed differently in Windows 2000 Server and Windows Server 2003. Go to the section applying to the operating system onto which you’re installing ISA Server 2004 and follow those steps.

Installing the DNS Server Service on Windows 2000 Server

Perform the following steps to install the DNS Server service on a Windows 2000 Server computer:

  1. Click Start, point to Settings and click Control Panel.
  2. In the Control Panel window, double click the Add/Remove Programs entry.
  3. In the Add/Remove Programs window, click the Add/Remove Windows Components button.
  4. In the Windows Components Wizard dialog box, select the Networking Services entry in the list of Components. Do not put a checkmark in the checkbox. After highlighting the Networking Services entry, click the Details button.
  5. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
    Cc302550.7fe9f20b-58f5-406c-8e63-39b5f8fea6a0(en-us,TechNet.10).gif
  6. Click Next in the Windows Components dialog box.
  7. You will see a terminal services page if terminal services is enabled on the machine; click Next in the Terminal Service Setup dialog box.
  8. Click OK in the Insert Disk dialog box. In the Files Needed dialog box, provide a path to the i386 folder from the installation CD in the Copy files from text box, then click OK.
  9. Click Finish in the Completing the Windows Components Wizard page.
  10. Click Close in the Add/Remove Programs window.

Installing the DNS Server Service on Windows Server 2003

Perform the following steps to install the DNS Server service on a Windows Server 2003 computer:

  1. Click Start, point to Control Panel and click Add or Remove Programs.
  2. In the Add or Remove Programs window, click the Add/Remove Windows Components button.
  3. In the Windows Components Wizard dialog box, select the Networking Services entry in the list of Components. Do not put a checkmark in the checkbox! After highlighting the Networking Services entry, click the Details button.
  4. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
    Cc302550.2f18d83b-f350-4cd4-9428-6260f6628733(en-us,TechNet.10).gif
  5. Click Next in the Windows Components dialog box.
  6. Click OK in the Insert Disk dialog box. In the Files Needed dialog box, provide a path to the i386 folder from the installation CD in the Copy files from text box, then click OK.
  7. Click Finish on the Completing the Windows Components Wizard page.
  8. Close the Add or Remove Programs window.

Configuring the DNS Service

The DNS Server on the ISA Server 2004 firewall machine performs DNS queries for Internet host names on the behalf of computers on the internal network. The DNS Server on the ISA Server 2004 firewall should be configured as a caching-only DNS server. A caching-only DNS Server does not contain information about your public or private DNS names. The caching-only DNS Server can resolve Internet host names and cache the results, but it does not answer DNS queries for names on your private internal network DNS zone or your public DNS zone.

Note

DNS is an inherently complex topic. Do not be concerned if you do not completely understand the details of DNS operations. The DNS service will be correctly configured when you perform the steps in this section.

If you have an internal network DNS server supporting an Active Directory domain, you can configure the caching-only DNS server located on the ISA Server 2004 firewall to refer requests to your internal network domain to the DNS server on your internal network. The end result is that the caching-only DNS server on the ISA Server 2004 firewall computer will not interfere with your current DNS server setup.

In this section, we provide instructions on how to configure the DNS Server service on Windows 2000 Server and Windows Server 2003 computers.

Note

These steps are performed differently in Windows 2000 Server and Windows Server 2003. Go to the section applying to the operating system onto which you’re installing ISA Server 2004 and follow those steps.

Configuring the DNS Service in Windows 2000 Server

Perform the following steps to configure the DNS service on the Windows 2000 Server computer:

  1. Click Start, point to Programs and point to Administrative Tools. Click the DNS entry in the Administrative Tools menu.
  2. Expand all nodes in the left pane of the DNS console. Right click your server name, point to View and click Advanced.
  3. Right click the server name in the left pane of the console and click the Properties option.
  4. In the server’s Properties dialog box, click the Interfaces tab. Select the Only the following IP addresses option. Click any IP address in the list of IP addresses that is not the IP address on the internal interface. Select this non-internal interface IP address and click the Remove button. Click Apply.
  5. Click the Forwarders tab. Put a checkmark in the Enable forwarders checkbox. Enter the IP address of your ISP’s DNS server in the IP address text box and click Add. Put a checkmark in the Do not use recursion checkbox. Click Apply and then click OK.
    Cc302550.1ce14bbf-c074-4c19-b104-9b48b60b38c8(en-us,TechNet.10).gif
  6. Right click the server name in the left pane of the console, point to All Tasks and click Restart.

Perform the following steps only if you have an internal network Active Directory domain and an existing DNS server on the internal network:

Warning

DO NOT perform the following steps if you do not already have a DNS server on your internal network. These steps are only for those networks already using Windows 2000 Server or Windows Server 2003 Active Directory domains.

  1. Right click the Reverse Lookup Zone node in the left pane of the console and click the New Zone command.
  2. Click Next on the Welcome to the New Zone Wizard page.
  3. Select the Standard primary option on the Zone Type page and click Next.
  4. Select the Network ID option on the Reverse Lookup Zone page and enter the network ID where your domain controller is located in the text box. Click Next.
  5. Accept the default file name on the Zone File page and click Next.
  6. Click Finish on the Completing the New Zone Wizard page.
  7. Right click the Forward Lookup Zones node in the left pane of the console and click the New Zone command.
  8. Click Next on the Welcome to the New Zone Wizard page.
  9. Select Standard primary on the Zone Type page and click Next.
  10. Enter the name of your internal network domain in the Type the name of the zone text box on the Zone Name page. Click Next.
  11. Accept the default file name on the Zone File page and click Next.
  12. Click Finish on the Completing the New Zone Wizard page.
  13. Expand the Forward Lookup Zones node in the left pane of the console and right click the domain name. Click the New Host command.
  14. In the New Host dialog box, type the computer name of the DNS server on the internal network that is authoritative for your Active Directory domain in the Name (uses parent domain name if blank) text box. Enter the IP address of the DNS server on the internal network in the IP address text box. Put a checkmark in the Create an associated pointer (PTR) record checkbox. Click Add Host.
    Cc302550.4be1e5bb-15ee-4206-8ea6-f804cab6153a(en-us,TechNet.10).gif
  15. Click OK in the DNS dialog box. Click Done in the New Host dialog box.
  16. In the right pane of the DNS console, right click the NS record for the domain and click the Properties option. In the domain’s Properties dialog box, click the current entry in the server list and then click the Remove button.
  17. Click the Add button on the Name Servers tab. In the New Resource Record dialog box, click the Browse button. In the Browse dialog box, double click your server name, then double click the Forward Lookup Zones folder. Double click your internal network domain name. Double click the name of the DNS server on the internal network. Click OK in the New Resource Record dialog box.
  18. Click Apply and then click OK in the domain’s Properties dialog box.
  19. Right click the SOA record in the left pane of the DNS console and click the Properties option.
  20. On the Start of Authority (SOA) tab, click the Browse button that lies to the right of the Primary server text box. In the Browse dialog box, double click your server name, then double click the Forward Lookup Zones folder. Double click your domain name and then double click the DNS server name on the internal network.
  21. Click Apply and then click OK in the domain’s Properties dialog box.
  22. Right click the server name in the left pane of the console, point to All Tasks and then click Restart.

Configuring the DNS Service in Windows Server 2003

Perform the following steps to configure the DNS service on the Windows Server 2003 computer:

  1. Click Start and point to Administrative Tools. Click the DNS entry.
  2. Right click the server name in the left pane of the console, point to View and click Advanced.
  3. Expand all nodes in the left pane of the DNS console.
  4. Right click the server name in the left pane of the DNS console and click the Properties option.
  5. In the server’s Properties dialog box, click the Interfaces tab. Select the Only the following IP addresses option. Click any IP address that is not an IP address bound to the internal interface of the computer. After highlighting the non-internal IP address, click the Remove button. Click Apply.
  6. Click the Forwarders tab. Enter the IP address of your ISP’s DNS server in the Selected domain’s forwarder IP address list text box and then click Add. Put a checkmark in the Do not use recursion for this domain checkbox. Click Apply.
    Cc302550.e8bd4dda-db45-4f03-bd04-8439abef57d2(en-us,TechNet.10).gif
  7. Click OK in the server’s Properties dialog box.
  8. Right click the server name, point to All Tasks and click the Restart command.

Perform the following steps only if you have an internal network DNS server that you are using to support an Active Directory domain:

Warning

DO NOT perform the following steps if you do not already have a DNS server on your internal network. These steps are only for those networks already using Windows 2000 Server or Windows Server 2003 Active Directory domains.

  1. Right click the Reverse Lookup Zones node in the left pane of the console and click New Zone.
  2. Click Next on the Welcome to the New Zone Wizard page.
  3. On the Zone Type page, select the Stub zone option and click Next.
  4. Select the Network ID option and then enter the network ID of the network on which the internal network DNS server is located on the Reverse Lookup Zone Name page in the Network ID text box. Click Next.
    Cc302550.97229fb4-16fb-480e-b726-0673d8ff648c(en-us,TechNet.10).gif
  5. Accept the default file name on the Zone File page and click Next.
  6. On the Master DNS Servers page, enter the IP address of your internal network DNS server in the IP address text box and click Add. Click Next.
  7. Click Finish on the Completing the New Zone Wizard page.
  8. Right click the Forward Lookup Zones node in the left pane of the console and click the New Zone command.
  9. Click Next on the Welcome to the New Zone Wizard page.
  10. On the Zone Type page, select the Stub zone option. Click Next.
  11. On the Zone name page, type the name of your internal network domain in the Zone name text box. Click Next.
  12. On the Zone File page, accept the default name for the zone file and click Next.
    Cc302550.5766139d-bdf1-4e59-bcdd-cf441b6c01f1(en-us,TechNet.10).gif
  13. On the Master DNS Servers page, enter the IP address of your internal network’s DNS server in the IP address text box and click Add. Click Next.
  14. Click Finish on the Completing the New Zone Wizard page.
  15. Right click the server name in the left pane of the console, point to All Tasks and click Restart.

Configuring the DNS Service on the Internal Network DNS Server

If your organization has an existing DNS infrastructure, you should configure your Internal network’s DNS server to use the DNS server on the ISA Server 2004 firewall as its DNS forwarder. This provides a more secure DNS configuration because your Internal network DNS server never communicates directly with an untrusted DNS server on the Internet.

The Internal network DNS server forwards DNS queries to the DNS server on the ISA Server 2004 firewall and the DNS server on the ISA Server 2004 resolves the name, places the result in its own DNS cache, and then returns the IP address to the DNS server on the Internal network.

Perform the following steps on the Internal network DNS server to configure it to use the DNS server on the ISA Server 2004 firewall as its forwarder:

Note

Perform the following steps only if you have a DNS server on the Internal network.

  1. Click Start and point to Administrative tools, then click DNS.
  2. In the DNS Management console, right click the server name in the left pane of the console and click Properties.
  3. In the server’s Properties dialog box, click the Forwarders tab.
  4. On the Forwarders tab, enter the IP address on the Internal interface of the ISA Server 2004 firewall in the Selected domain’s forwarder IP address list text box. Click Add.
  5. The IP address of the internal interface of the ISA Server 2004 firewall appears in the list of forwarder addresses.
    Cc302550.24157e3b-16fa-4e67-a822-88dcc8457097(en-us,TechNet.10).gif
  6. Put a checkmark in the Do not use recursion for this domain checkbox. This option prevents the Internal network DNS server from trying to resolve the name itself in the event that the forwarder on the ISA Server 2004 firewall is unable to resolve the name.
    Cc302550.017cb646-dac2-40ae-9e0f-39c62ce98163(en-us,TechNet.10).gif
  7. Click Apply and then click OK.

[Topic Last Modified: 02/26/2008]