Configuring DNS Servers for ISA Server 2004

One of the most common issues facing administrators who deploy ISA Server is how to configure ISA Server to resolve Domain Name System (DNS) requests.  If DNS is configured incorrectly, the ISA Server computer fails to resolve either internal names or external names.  Name resolution problems that present themselves can be intermittent in nature and difficult to track down and can range from email not being transmitted to users being unable to access the Internet through the Web proxy.

This document describes various ISA Server scenarios, details how to set up ISA Server for DNS for each scenario, and explains why each configuration is needed.   It covers the simplest configuration, a single-homed ISA Server computer in a non-domain scenario, and also describes a complex scenario, that of a multi-homed ISA Server computer that is a domain member.

There are two rules to remember when setting up DNS on ISA Server. These rules apply to any Windows-based DNS configuration:

No matter how many network adapters you have, only assign DNS servers to a single adapter (it doesn’t matter which one).  There is no need to set up DNS on all network adapters.

Always point DNS to either internal servers or external servers, never to both.

Multi-homed ISA Server computers

Single network adapter scenarios

Common Questions

Multi-homed ISA Server computers

Multi-homed ISA Server computers have DNS settings for both external and internal network adapters. Depending on the situation, ISA will fail if this is not configured correctly.

There are several ways to correctly configure DNS depending on the requirement of the internal network.

Non-Domain ISA Server computers

ISA Server computers that are not domain members should be set up just like a single-homed computer.  If you have an internal DNS zone that you need to resolve – you should point DNS to the internal DNS server.  The internal DNS server then forwards name resolution requests to your ISP’s DNS servers or uses root hints to resolve external names.

Domain Member ISA Server computer with full internal resolution

This is the most common setup.  Multi-homed ISA Server computers that are members of the domain must point a network card only to internal DNS servers because it has to participate in the domain.   The internal DNS servers need to forward to an ISP or use the root servers.  This allows internal clients to resolve both internal names and Internet names.

Figure 1 :Full DNS resolution configuration

Isolating Internal DNS Servers

Another common scenario is where the Internal DNS servers do not forward to the Internet at all.  This prevents both the Internal DNS servers and clients who use them from resolving names on the Internet.  

The ISA Server computer should not point to the internal DNS servers for name resolution, but still has to resolve both internal and external DNS names. Set up another DNS server on the ISA Server computer itself, or designate a DNS server internally dedicated to resolving both internal and external DNS names.

On this new DNS server, set up a secondary to your internal DNS namespace and then configure the DNS server to forward to the Root servers or the ISP’s DNS servers for name resolution.

This solution effectively isolates the intranet namespace and eliminates cache pollution / poisoning issues on the internal DNS servers.

Figure 2:   Multi-homed ISA with Internal DNS server Isolation

Single network adapter scenarios

In this section, ISA is set up with one network adapter and can only function as a proxy server (firewall service cannot run with only one network adapter).

Non-domain member / No internal DNS exists

A stand-alone ISA Server computer not in a member of a domain, and there is no internal DNS server. Point to the ISP for DNS.

Non-domain member / internal DNS exists

A stand-alone ISA Server computer that is not a member of a domain, where an internal DNS server exists, should point to the internal DNS server to resolve internal names, and should NOT point to the external ISP as a secondary server.  The internal DNS server should use forwarders to point to the external ISP’s DNS servers or should use the root servers (employing root hints) so that the ISA Server computer can resolve external names.  If the ISA Server computer does not need to resolve internal DNS names at all – it can safely point to the ISP’s DNS servers.

Domain member / NT 4.0

An ISA Server computer that is a domain member in NT 4.0 can safely point to an ISP for DNS since NT 4.0 does not use DNS for name resolution (it uses WINS).  If you have an internal DNS server and you need to resolve internal names as well as external, the ISA Server computer should point to the internal DNS server as long as the internal DNS server forwards to an external ISP or root servers.

Common Questions

Q:  Why can’t I point to the Windows 2000 DNS first, and then to the ISP DNS?

A:  A common misconception is that you achieve fault tolerance by pointing to the Windows 2000 domain first, and then the ISP’s DNS server.  The problem is that if the first DNS server fails, ISA Server will use the second DNS server and never go back to the original DNS server unless the second DNS server fails.   DNS will work until you bring down the internal DNS server for maintenance, then a few hours later no one can get access to the Internet because you can’t validate the user against the domain.  Restarting the ISA Server computer will solve this problem.

Q:  Why not point the external ISA NIC to the ISP for DNS?

A:  The problem here is that ISA doesn’t know what is internal or external when trying to resolve names. This means ISA can end up trying to resolve internal names to the external ISP.  Once it receives “name not found”, the ISA Server computer won’t look for the internal name again and you will fail to participate in the domain.