Planning for domain name resolution

Published: November 15, 2009

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

Forefront TMG relies on the Server Domain Name System (DNS) for domain name resolution, for both inbound and outbound traffic. This topic is designed to help you plan domain name resolution for Forefront TMG.

When you configure DNS settings on Forefront TMG, follow these guidelines:

  • Configure DNS only for a single adapter on the Forefront TMG computer, regardless of the number of network adapters that are installed on the computer.

  • The adapter on which you configure DNS must the topmost adapter in the Forefront TMG Network Adapters list, in the Networks node.

  • Wherever possible, configure DNS servers that reside in the internal network. In deployments where Forefront TMG is installed in a workgroup environment, the following exceptions apply:

    • If Forefront TMG is deployed in a network without an internal DNS server, configure the DNS server of the network’s Internet service provider (ISP).

    • If Forefront TMG is deployed in a network where the internal DNS server is not connected to the Internet, install an additional, dedicated DNS server in the internal network. This server should query the ISP’s DNS server for external name resolution, and the internal DNS for internal name resolution.

      You can install the additional DNS server anywhere in the internal network, including on the Forefront TMG computer.

  • The internal DNS servers must forward name resolution requests to the ISP’s DNS servers in the external network, or to root DNS servers. This allows internal clients to resolve both internal host names and host names on the Internet.

  • The DNS servers should use either forwarders or root hints to resolve external names.

  • In deployments where Forefront TMG is a domain member, the DNS servers must be in the same domain as Forefront TMG, or in domains with trust relationships with the Forefront TMG domain.

Related Topics