This article describes how to publish a Domain Name System (DNS) server by using Microsoft Internet Security and Acceleration (ISA) Server.
There are two possible scenarios for DNS hosting:
Scenario 1: DNS hosting with a DNS Server on ISA Server
By default, ISA Server includes a predefined DNS query packet filter:
Name: DNS Filter
Filter Type: Predefined
Protocol: UDP
Direction: Send Receive
Local Port: All ports
Remote Port: Fixed port, 53
Local Computer: Default IP address on the External interface(s)
Remote Computer: All Remote Computers
Because the direction of the preceding packet filter is "Send Receive" with Remote port 53, the filter enables ISA Server to send DNS queries to an external DNS server that listens on User Datagram Protocol (UDP) port 53 and receives responses to these queries.
The filter does not enable incoming DNS queries to ISA Server. When you host a DNS server for external client computers, you must add a custom DNS packet filter that can enable incoming DNS queries to be received by the DNS server. An example of such a packet filter is:
Name: DNS Query
Protocol: UDP
Direction: Receive Send
Local Port: Fixed port, 53
Remote Port: All ports
Local Computer: Default IP address on the External interface(s)
Remote Computer: All Remote Computers
Unlike DNS queries which use UDP protocol, DNS zone transfers between primary and secondary DNS servers use Transmission Control Protocol (TCP) protocol. If you require a DNS zone transfer to a secondary DNS server on the external network adapter of ISA Server, you must create another custom packet filter, such as:
Name: DNS Zone transfer (In)
Protocol: TCP
Direction: Inbound
Local Port: Fixed port, 53
Remote Port: All ports
Local Computer: Default IP address on the External interface(s)
Remote Computer: All Remote Computers
Name: DNS Zone transfer (Out)
Protocol: TCP
Direction: Outbound
Local Port: Allports
Remote Port: Fixed port, 53
Local Computer: Default IP address on the External interface(s)
Remote Computer: All Remote Computers
To prevent DNS zone transfers to unauthorized DNS servers, you must set the DNS server to enable zone transfers only to the specified DNS servers, or you can modify the preceding packet filter so that the specified remote computer is the Internet Protocol (IP) address of the secondary DNS server, instead of "All Remote Computers". For more details on DNS zone transfers, refer to Windows 2000 online Help.
Scenario 2: DNS Server on the private network of ISA Server
To enable a DNS server on the private network of ISA Server to resolve DNS queries for clients on the network adapter of ISA Server, you must create a DNS Publishing rule:
- Right-click Server Publishing Rule, click New, and then click Rule.
- Type in a name for the Server Publishing rule, and then click Next.
- Enter the IP addresses of the internal DNS server and the external interface of ISA Server, and then click Next.
- Click DNS Query Server as the protocol, and then click Next.
- Apply the rule to Any Request, click Next, and then click Finish.
If you require DNS zone transfer to a secondary DNS server on the network adapter of ISA Server, you must create another Server Publishing rule. Use the same general guidelines as the preceding DNS Query rule and select "DNS zone transfer" as the protocol.
Back to the top
