Discussion:
DNS Problem
(too old to reply)
Ken Lowe
2006-03-29 17:22:01 UTC
Permalink
I'm getting the following mesage when I go to the internet. I've created a
cache-only DNS on the ISA server. I've included the ISP's DNS on the
forwarders list.


Error Code 11002: Host not found
Background: This error indicates that the gateway could not find an
authoritative DNS server for the website you are trying to access.
Date: 3/29/2006 5:17:11 PM
Server: lbgsrsvr05.tad.teledyne.com
Source: DNS problem

Thanks
unknown
2006-03-29 17:28:33 UTC
Permalink
The AD/DNS can actually get out to the Internet to make the DNS Query to the
ISP's DNS?

The ISA is using the AD/DNS?

Is the Live log showing anything being blocked?
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Post by Ken Lowe
I'm getting the following mesage when I go to the internet. I've created a
cache-only DNS on the ISA server. I've included the ISP's DNS on the
forwarders list.
Error Code 11002: Host not found
Background: This error indicates that the gateway could not find an
authoritative DNS server for the website you are trying to access.
Date: 3/29/2006 5:17:11 PM
Server: lbgsrsvr05.tad.teledyne.com
Source: DNS problem
Thanks
Ken Lowe
2006-03-29 18:30:03 UTC
Permalink
From the Live Log I get the following message:

Failed Connection Attempt Allow HTTP/HTTPS requests from ISA Server to
selected servers for connectivity verifiers 172.16.40.71 anonymous Local
Host External GET http://google.com/
Post by unknown
The AD/DNS can actually get out to the Internet to make the DNS Query to the
ISP's DNS?
The ISA is using the AD/DNS?
Is the Live log showing anything being blocked?
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Post by Ken Lowe
I'm getting the following mesage when I go to the internet. I've created a
cache-only DNS on the ISA server. I've included the ISP's DNS on the
forwarders list.
Error Code 11002: Host not found
Background: This error indicates that the gateway could not find an
authoritative DNS server for the website you are trying to access.
Date: 3/29/2006 5:17:11 PM
Server: lbgsrsvr05.tad.teledyne.com
Source: DNS problem
Thanks
unknown
2006-03-29 20:08:28 UTC
Permalink
I don't know why MS, or anyone, has ever suggested running any kind of DNS
on the ISA box in any way. Except for SBS, everytime I see it done it is a
mess.

Get DNS (regaurdless of the method you are running it as) off of the ISA
box. Point the ISA, and every other machine on the LAN, at the AD/DNS
machine for DNS. Then use the ISP's DNS IP# in the Forwarders List on the
AD/DNS.

Create an Access Rule for outbound DNS Queries for the AD/DNS machine to
make anonymous outbound DNS Queries as a SecureNAT Client.

You do that and it will work. It will be so trouble-free that you will
forget it exists.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Failed Connection Attempt Allow HTTP/HTTPS requests from ISA Server to
selected servers for connectivity verifiers 172.16.40.71 anonymous Local
Host External GET http://google.com/
Post by unknown
The AD/DNS can actually get out to the Internet to make the DNS Query to the
ISP's DNS?
The ISA is using the AD/DNS?
Is the Live log showing anything being blocked?
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Post by Ken Lowe
I'm getting the following mesage when I go to the internet. I've created a
cache-only DNS on the ISA server. I've included the ISP's DNS on the
forwarders list.
Error Code 11002: Host not found
Background: This error indicates that the gateway could not find an
authoritative DNS server for the website you are trying to access.
Date: 3/29/2006 5:17:11 PM
Server: lbgsrsvr05.tad.teledyne.com
Source: DNS problem
Thanks
Ken Lowe
2006-03-29 21:02:01 UTC
Permalink
The reason for putting the DNS on the ISA was because I don't have permission
to add the ISP addresses on the AD/DNS. My question to you is if we add the
addresses will it replicate over to the other AD/DNS on the network. We have
about 15 different OU's on our network.

Thanks
Post by unknown
I don't know why MS, or anyone, has ever suggested running any kind of DNS
on the ISA box in any way. Except for SBS, everytime I see it done it is a
mess.
Get DNS (regaurdless of the method you are running it as) off of the ISA
box. Point the ISA, and every other machine on the LAN, at the AD/DNS
machine for DNS. Then use the ISP's DNS IP# in the Forwarders List on the
AD/DNS.
Create an Access Rule for outbound DNS Queries for the AD/DNS machine to
make anonymous outbound DNS Queries as a SecureNAT Client.
You do that and it will work. It will be so trouble-free that you will
forget it exists.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Failed Connection Attempt Allow HTTP/HTTPS requests from ISA Server to
selected servers for connectivity verifiers 172.16.40.71 anonymous Local
Host External GET http://google.com/
Post by unknown
The AD/DNS can actually get out to the Internet to make the DNS Query to
the
Post by unknown
ISP's DNS?
The ISA is using the AD/DNS?
Is the Live log showing anything being blocked?
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Post by Ken Lowe
I'm getting the following mesage when I go to the internet. I've
created a
Post by unknown
Post by Ken Lowe
cache-only DNS on the ISA server. I've included the ISP's DNS on the
forwarders list.
Error Code 11002: Host not found
Background: This error indicates that the gateway could not find an
authoritative DNS server for the website you are trying to access.
Date: 3/29/2006 5:17:11 PM
Server: lbgsrsvr05.tad.teledyne.com
Source: DNS problem
Thanks
unknown
2006-03-29 23:05:51 UTC
Permalink
Post by Ken Lowe
The reason for putting the DNS on the ISA was because I don't have permission
to add the ISP addresses on the AD/DNS. My question to you is if we add the
addresses will it replicate over to the other AD/DNS on the network. We have
about 15 different OU's on our network.
Then don't bother with the Forwarders at all. Whoever is responsible for
that DNS machine, that you can't alter, probably already has Forwarders
listed in it or is using Root Servers. You don't have to use "your" ISP,
any ISP will work, any legitament outside DNS will work, even Root Servers
will work,... and since that AD/DNS is already working for whoever maintains
it,..it will also work for you as it is. So just point all your machines to
the proper internal DNS that you are supposed to use and forget it.

For any more suggestions I would have to have a more clear explaination of
your environment without any "surprises".
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
ZVR
2006-03-29 23:15:05 UTC
Permalink
Post by unknown
I don't know why MS, or anyone, has ever suggested running any kind of DNS
on the ISA box in any way. Except for SBS, everytime I see it done it is a
mess.
When I install ISA in edge firewall mode, I always do it for caching
purposes... exactly like Ken. I don't like the idea of depending on another
internal DNS server for name resolution, when it's obvious that the ISA
machine will always be there or Internet doesn't exist for the LAN. Plus,
many times the edge device will be the "entry point" into the DNS zone as
well - another reason why I don't want to rely on an internal DNS server,
especially with a split-DNS setup where you're toasted if the external zone,
and the internal one have the same name.
Post by unknown
Get DNS (regaurdless of the method you are running it as) off of the ISA
box. Point the ISA, and every other machine on the LAN, at the AD/DNS
machine for DNS. Then use the ISP's DNS IP# in the Forwarders List on the
AD/DNS.
Create an Access Rule for outbound DNS Queries for the AD/DNS machine to
make anonymous outbound DNS Queries as a SecureNAT Client.
With the exceptions I mentioned above, this is indeed a logical, and simple
way of doing it. Phillip is 100% correct... keep it simple guys, unless you
have a good reason to complicate things.

Virgil
unknown
2006-03-29 23:26:56 UTC
Permalink
Post by ZVR
... keep it simple guys, unless you
have a good reason to complicate things.
That's my motto! ;-)
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
Loading...