Sign in with
Sign up | Sign in
Your question

DNS timeouts?

Last response: in Windows 2000/NT
Share
February 7, 2005 3:47:02 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I have ISA 2004 working perfectly except that occasionally the client will
get a message back that the Gateway could not find an authoritative DNS
server for the domain....

The client is querying an internal DNS and then it forwards to the cahcing
server on ISA. everything is local to the client so the speed should be
there....I was thinking of increasing the DNS server forwarder timeout but it
is currently set to 5 seconds which should be enough??

When I dont use ISA, the response is pretty fast so I'm not sure if this is
the right move.

Any ideas?

More about : dns timeouts

Anonymous
February 7, 2005 6:11:59 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Ted" <Ted@discussions.microsoft.com> wrote in message
news:85084BCC-81E0-4C24-B4A7-18786065DC6C@microsoft.com...
> I have ISA 2004 working perfectly except that occasionally the client will
> get a message back that the Gateway could not find an authoritative DNS
> server for the domain....
>
> The client is querying an internal DNS and then it forwards to the cahcing
> server on ISA. everything is local to the client so the speed should be
> there....I was thinking of increasing the DNS server forwarder timeout but
it
> is currently set to 5 seconds which should be enough??

You can certainly increase the timeout, but eventually the
client (or any querying DNS server) will itself timeout.

Confirm:

Clients point STRICTLY to internal DNS servers ONLY.
Internal DNS servers point to ISA as Forwarder
(Optionally: internal servers choose "Do not use recursion"*)
ISA does it's own physical recursion from the Internet root down
OR it forwards to a (reliable, large) ISP? **

* Although, I cannot precisely explain why "Do not use recursion"
might help, doing the recursion AND forwarding is seldom
helpful itself IF the forwarder is reliable, and may not even be
possible due to firewalls. Disabling the internal server recursion
(ONLY) on the Forwarders tab has been (unconfirmed) reported
to help this specific issue.

If the ISP is large (big caches, near the backbone) and RELIABLE,
then most of the time a second forward from the first forwarder
at the gateway/firewall ISP will actually help.


> When I dont use ISA, the response is pretty fast so I'm not sure if this
is
> the right move.



--
Herb Martin


>
> Any ideas?
February 7, 2005 6:12:00 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Herb Martin" wrote:

> "Ted" <Ted@discussions.microsoft.com> wrote in message
> news:85084BCC-81E0-4C24-B4A7-18786065DC6C@microsoft.com...
> > I have ISA 2004 working perfectly except that occasionally the client will
> > get a message back that the Gateway could not find an authoritative DNS
> > server for the domain....
> >
> > The client is querying an internal DNS and then it forwards to the cahcing
> > server on ISA. everything is local to the client so the speed should be
> > there....I was thinking of increasing the DNS server forwarder timeout but
> it
> > is currently set to 5 seconds which should be enough??
>
> You can certainly increase the timeout, but eventually the
> client (or any querying DNS server) will itself timeout.
>
> Confirm:
>
> Clients point STRICTLY to internal DNS servers ONLY.

correct

> Internal DNS servers point to ISA as Forwarder

correct

> (Optionally: internal servers choose "Do not use recursion"*)

recursion is disabled for 'this domain'

> ISA does it's own physical recursion from the Internet root down
> OR it forwards to a (reliable, large) ISP? **

ISA forwards to the ISP (Bell Canada T1)

>
> * Although, I cannot precisely explain why "Do not use recursion"
> might help, doing the recursion AND forwarding is seldom
> helpful itself IF the forwarder is reliable, and may not even be
> possible due to firewalls. Disabling the internal server recursion
> (ONLY) on the Forwarders tab has been (unconfirmed) reported
> to help this specific issue.

Recusrion is disabled here but 'This domain' is only the user and computer
domain. There are multiple DNS suffix's and resources in each domain.
>
> If the ISP is large (big caches, near the backbone) and RELIABLE,
> then most of the time a second forward from the first forwarder
> at the gateway/firewall ISP will actually help.

This is exactly what is in place now....
>
>
> > When I dont use ISA, the response is pretty fast so I'm not sure if this
> is
> > the right move.
>
>
>
> --
> Herb Martin
>
>
> >
> > Any ideas?
>
>
>
Related resources
Anonymous
February 7, 2005 6:45:09 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Ted" <Ted@discussions.microsoft.com> wrote in message
news:26F21E40-9AC4-47CD-B2ED-320A056FBA2C@microsoft.com...
> > "Ted" <Ted@discussions.microsoft.com> wrote in message
> > news:85084BCC-81E0-4C24-B4A7-18786065DC6C@microsoft.com...
> > > I have ISA 2004 working perfectly except that occasionally the client
will
> > > get a message back that the Gateway could not find an authoritative
DNS
> > > server for the domain....
> > >
> > > The client is querying an internal DNS and then it forwards to the
cahcing
> > > server on ISA. everything is local to the client so the speed should
be
> > > there....I was thinking of increasing the DNS server forwarder timeout
but
> > it
> > > is currently set to 5 seconds which should be enough??
> >
> > You can certainly increase the timeout, but eventually the
> > client (or any querying DNS server) will itself timeout.
> >
> > Confirm:
> >
> > Clients point STRICTLY to internal DNS servers ONLY.
>
> correct
>
> > Internal DNS servers point to ISA as Forwarder
>
> correct
>
> > (Optionally: internal servers choose "Do not use recursion"*)
>
> recursion is disabled for 'this domain'

Recursion must NOT be disabled within the Advanced
tab of the Server (there is says "Disable Recursion")
since that disables forwarding also -- it does not sound
like that is your problem but being explicit never hurts.

"Do not use recursion" on the Server Forwarder tab IS
APPROPRIATE in most cases.

Neither is related to any domain or zone but are both
SERVER settings.

> > ISA does it's own physical recursion from the Internet root down
> > OR it forwards to a (reliable, large) ISP? **
>
> ISA forwards to the ISP (Bell Canada T1)
>
> >
> > * Although, I cannot precisely explain why "Do not use recursion"
> > might help, doing the recursion AND forwarding is seldom
> > helpful itself IF the forwarder is reliable, and may not even be
> > possible due to firewalls. Disabling the internal server recursion
> > (ONLY) on the Forwarders tab has been (unconfirmed) reported
> > to help this specific issue.
>
> Recusrion is disabled here but 'This domain' is only the user and computer
> domain. There are multiple DNS suffix's and resources in each domain.

Disabling recursion is a SERVER wide setting.
Unrelated to any zone/domain individually.

May we assume you handle those other zones and
domains by holding cross secondaries to them or
at least to there parent?

Client suffixes are not part of the DNS server setup
and are merely multiple choices the client may ATTEMPT
before giving up and saying "host not found".

Such might cause APPLICATION timeouts but will not
affect the timeout of an individual request made explicitly
(e.g., through NSLookup or by using a FQDN -- note, an
FQDN is technically only one that TERMINATES in a DOT.)

> >
> > If the ISP is large (big caches, near the backbone) and RELIABLE,
> > then most of the time a second forward from the first forwarder
> > at the gateway/firewall ISP will actually help.
>
> This is exactly what is in place now....
> >
> >
> > > When I dont use ISA, the response is pretty fast so I'm not sure if
this
> > is
> > > the right move.

You might try nslookup individually to everyone in the
chain.

See if this also agrees that ISA/DNS is the culprit.

Are you actually running a caching only DNS on the ISA
box or using some setting of ISA (I believe it has one like
the NAT/ICS do.)
Anonymous
February 8, 2005 11:15:00 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi Ted

I normally just have my internal DNS server forward directly to the ISP. On
the ISA Server, I point the internal NIC to the internal DNS server and
don't bother setting a DNS server on the external NIC. In this way, all
requests go via the internal DNS server and then get forwarded to the ISP
for external resolution.

What was your motivation for caching on the ISA server?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Ted" <Ted@discussions.microsoft.com> wrote in message
news:85084BCC-81E0-4C24-B4A7-18786065DC6C@microsoft.com...
>I have ISA 2004 working perfectly except that occasionally the client will
> get a message back that the Gateway could not find an authoritative DNS
> server for the domain....
>
> The client is querying an internal DNS and then it forwards to the cahcing
> server on ISA. everything is local to the client so the speed should be
> there....I was thinking of increasing the DNS server forwarder timeout but
> it
> is currently set to 5 seconds which should be enough??
>
> When I dont use ISA, the response is pretty fast so I'm not sure if this
> is
> the right move.
>
> Any ideas?
February 8, 2005 11:15:01 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

my understanding was that having a caching only DNS server as the only
internet facing DNS was more secure. There are no zones except stub zones for
the internal DNS, no zone transfers and only one, inherently more secure,
server facing the net.

"Mark Renoden [MSFT]" wrote:

> Hi Ted
>
> I normally just have my internal DNS server forward directly to the ISP. On
> the ISA Server, I point the internal NIC to the internal DNS server and
> don't bother setting a DNS server on the external NIC. In this way, all
> requests go via the internal DNS server and then get forwarded to the ISP
> for external resolution.
>
> What was your motivation for caching on the ISA server?
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Ted" <Ted@discussions.microsoft.com> wrote in message
> news:85084BCC-81E0-4C24-B4A7-18786065DC6C@microsoft.com...
> >I have ISA 2004 working perfectly except that occasionally the client will
> > get a message back that the Gateway could not find an authoritative DNS
> > server for the domain....
> >
> > The client is querying an internal DNS and then it forwards to the cahcing
> > server on ISA. everything is local to the client so the speed should be
> > there....I was thinking of increasing the DNS server forwarder timeout but
> > it
> > is currently set to 5 seconds which should be enough??
> >
> > When I dont use ISA, the response is pretty fast so I'm not sure if this
> > is
> > the right move.
> >
> > Any ideas?
>
>
>
Anonymous
February 8, 2005 11:15:01 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:#iuwWoVDFHA.3324@TK2MSFTNGP15.phx.gbl...
> Hi Ted
>
> I normally just have my internal DNS server forward directly to the ISP.
On
> the ISA Server, I point the internal NIC to the internal DNS server and
> don't bother setting a DNS server on the external NIC.

This is problematic if the ISA machine is a DOMAIN
machine (which is must be for AD integration).

In that case, not only should the internal NIC be set to
use the internal DNS -- it is now an INTERNAL client and
needs this -- but the EXTERNAL NIC must be set that
way also.

Frequently the external NIC is DHCP assigned which complicates
this, but if you type in a DNS Server setting on the ISA CLIENT
NIC it will override the one from the ISP.

Then you place the ISP in the ISA server setting for DNS or
you run a REAL DNS server (caching only, no zones needed)
on that machine.

> In this way, all
> requests go via the internal DNS server and then get forwarded to the ISP
> for external resolution.

That works (technically) but means that internal DNS servers
which are frequently DCs must pass the firewall which not
only complicates firewall definitions but is a security risk.

Sensitive internal machines should not generally visit the
internet.

> What was your motivation for caching on the ISA server?

Perhaps he read the Microsoft sale literature on the product.
<GRIN>



--
Herb Martin


>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Ted" <Ted@discussions.microsoft.com> wrote in message
> news:85084BCC-81E0-4C24-B4A7-18786065DC6C@microsoft.com...
> >I have ISA 2004 working perfectly except that occasionally the client
will
> > get a message back that the Gateway could not find an authoritative DNS
> > server for the domain....
> >
> > The client is querying an internal DNS and then it forwards to the
cahcing
> > server on ISA. everything is local to the client so the speed should be
> > there....I was thinking of increasing the DNS server forwarder timeout
but
> > it
> > is currently set to 5 seconds which should be enough??
> >
> > When I dont use ISA, the response is pretty fast so I'm not sure if this
> > is
> > the right move.
> >
> > Any ideas?
>
>
Anonymous
February 8, 2005 11:15:02 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Ted" <Ted@discussions.microsoft.com> wrote in message
news:50D893CE-D500-40BF-819A-2CDB50AAE4DF@microsoft.com...
> my understanding was that having a caching only DNS server as the only
> internet facing DNS was more secure. There are no zones except stub zones
for
> the internal DNS, no zone transfers and only one, inherently more secure,
> server facing the net.

You are correct. It also keeps DCs/DNS servers
off the Internet and behind the firewall.

--
Herb Martin


"Ted" <Ted@discussions.microsoft.com> wrote in message
news:50D893CE-D500-40BF-819A-2CDB50AAE4DF@microsoft.com...
> my understanding was that having a caching only DNS server as the only
> internet facing DNS was more secure. There are no zones except stub zones
for
> the internal DNS, no zone transfers and only one, inherently more secure,
> server facing the net.
>
> "Mark Renoden [MSFT]" wrote:
>
> > Hi Ted
> >
> > I normally just have my internal DNS server forward directly to the ISP.
On
> > the ISA Server, I point the internal NIC to the internal DNS server and
> > don't bother setting a DNS server on the external NIC. In this way, all
> > requests go via the internal DNS server and then get forwarded to the
ISP
> > for external resolution.
> >
> > What was your motivation for caching on the ISA server?
> >
> > Kind regards
> > --
> > Mark Renoden [MSFT]
> > Windows Platform Support Team
> > Email: markreno@online.microsoft.com
> >
> > Please note you'll need to strip ".online" from my email address to
email
> > me; I'll post a response back to the group.
> >
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> > "Ted" <Ted@discussions.microsoft.com> wrote in message
> > news:85084BCC-81E0-4C24-B4A7-18786065DC6C@microsoft.com...
> > >I have ISA 2004 working perfectly except that occasionally the client
will
> > > get a message back that the Gateway could not find an authoritative
DNS
> > > server for the domain....
> > >
> > > The client is querying an internal DNS and then it forwards to the
cahcing
> > > server on ISA. everything is local to the client so the speed should
be
> > > there....I was thinking of increasing the DNS server forwarder timeout
but
> > > it
> > > is currently set to 5 seconds which should be enough??
> > >
> > > When I dont use ISA, the response is pretty fast so I'm not sure if
this
> > > is
> > > the right move.
> > >
> > > Any ideas?
> >
> >
> >
!