Internal clients do not receive a response if the DNS server is published not on the primary IP address by using ISA Server 2006


Consider the following scenario:
  • You publish a DNS server by using Microsoft Internet Security and Acceleration (ISA) Server 2006.
  • The DNS server is published not on the primary IP address. For example, the DNS server is published on a secondary IP address.
  • You enable the DNS intrusion detection filter in ISA Server 2006.
In this scenario, all internal clients do not receive a response. However, all external clients work well. 

If you disable the DNS Intrusion detection filter, all clients receive a response that is not limited by the published-IP address of the DNS server.


This issue occurs because the DNS filter does not check whether an internal client tries to access the published DNS server by using a secondary IP address. Therefore, the internal clients cannot connect to the DNS server.


Hotfix rollup information

To resolve this problem, install the hotfix rollup package that is described in the following Microsoft Knowledge Base (KB) article:
2443471 Description of the ISA Server 2006 hotfix package: October 2010


To work around this issue, disable the DNS intrusion detection filter. 

Important If you disable the DNS intrusion detection filter, the functionality that detects and filters DNS attacks is disabled.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates