Who is primary DNS

I have a Windows 2000 advanced server with active directory dhcp and dns services. I have 15 servers with static ips.

The dns server list is own ip address as preferred dns and has the ip address of the isa firewall and the default gateway.

the firewall list my isp ip's as my primary and secondary dns.

My isp insists that they should be listed on my Dns server as the primary DNS.

Any thoughts on this.

 

I'm no network guru, but isn't the real question, "Does it work? "

I'm running Bind-PE ( http://ntcanuck.com ) and use localhost for DNS resolution. I listed no secondary or tertiary DNS addresses for a long time. Just yesterday, I decided to list my ISP's DNS addresses as second and third, just to avoid any future hassles, but always found my local DNS more reliable than my ISP's which seems to be down quite a bit (Adelphia).

 

It works great for me. BUt my ISA server is getting all port scan attacks that list my ISP dns. They say that my DNS is the reason why.

They are telling me that no one ever uses there own DNS, they always point to the ISP's.

Thanks

 

I don't know anything about ISA servers.

You have W2K AD. You have at least member servers and presumably clients that are recognized machines in AD. These machines register their addresses in DNS. You need to run DNS for this and the fact that you are configured for AD. Your systems must use and know where your DNS server is.

Under Windows, the first listed DNS server is the server that is used unless that server fails. If it doesn't fail and doesn't resolve, your request for resolution comes to a screaming halt.

The secondary and tertiary DNS servers are listed for the event that your primary DNS server fails. But with 15 servers, we suspect that you have two DNS servers configured for your local network. So your secondary DNS server listing is your second DNS server.

Your DNS server knows how to resolve your local FQDN's because they would be listed in your forward lookup zone. What does it do for FQDN's not listed there? It forwards the request to... ...here's where what your "firewall" is doing creates a question along with how that may or may not be related to the gateway... ...something that knows how to forward the request to your ISP DNS servers.

You would not point any of your systems, for DNS resolution, to the firewall, gateway, or your ISP DNS servers. You point them to your DNS server as it is supporting AD. Your DNS server has "Enabled Forwarders" and your forwarder is either that, er, firewall/gateway (ISA Server), or your ISP servers. If that firewall/gateway device(s) is forwarding, then it has the addresses of your ISP's primary and secondary DNS servers.

Whether or not your forwarder is the intermediate device or your ISP's DNS servers should make little difference.

The question is why is your firewall listing a normal DNS response as an invasive port scan? What ports?

It sounds like you need to talk to somebody different at your ISP's NOC.

http://www.isaserver.org/

 

The port is 53. The all port scan attack shows are random intervals. It can be anywhere from 4 hours to 5 minutes. For the last month is has been approx. every 6 minutes.

Are these port scans consuming alot of my bandwidth? I have 1 T1 line.

I only have 1 DNS servers and it has forwarding enabled.

 

Bitbyter said it. Your DNS server is supposed to listen on TCP & maybe UDP port 53. And if it listens there, others should be sending queries to that port. So the behavior is normal and the odd part is your software alerting it as something bad when the ISP's DNS server sends a legit packet to yours.

I suppose if you listed the ISP's DNS as primary no one would want to talk to your DNS server and the traffic would cease but I like the way you are configured.

As to bandwidth use - the packets should be very small, polite ones and a T1 should barely notice the traffic.

 

In a W2K domain, W2K and WXP stations will register their addresses in DNS. If your ISP DNS servers are listed as primary on any of those stations, your ISP gets the registration attempt. This probably gets forwarded to an authoritative DNS server that sends back a response along the lines of "I don't know who you are, bad boy." Perhaps this is what is being interpreted as a bogus packet by your firewall. Your ISP probably doesn't appreciate these exchanges.

This probably happens quicker if you are not using a public (registered) FQDN for your LAN (inside your firewall and not in a DMZ.) Using NAT and static mapping on your router, you should not need a publicly registered domain name for nodes on your LAN, even if they offer public services. Just as you would use private IP addressing (ten-dots and such) on your LAN, you can use a ficticious domain name for your LAN without any reduction in service provided (depending on routing capabilities -- we're presuming a router that has the capability of mapping an external IP address to an internal IP address, or mapping specific ports to a specific internal IP address and port.) An example of this would be YOURNAME.LAN. Because all local FQDN's will be resolved by the listings in the forward lookup zone, no attempt to find a LAN root server will be made. Because LAN is not a valid top level domain, there will be no conflict for non-local domain name resolution requests.

If you are using DHCP, you should not be delivering your ISP DNS server addresses to requesting nodes. If you have machines that are using fixed IP addresses manually configured or not assigned according to MAC address from your DHCP server, you should check those stations to see if they have YOUR DNS server listed as primary. We're presuming that you do not have pooled floating IP addresses for at least servers and maybe some dedicated communications clients. The only nodes needing public domain names declared in configuration are those in your DMZ.

 

All of the servers are static ip in DNS.

All of the workstations are leasing dhcp (changing to reservation this month)

All list the primary dns as my dns servers ip.

My isp has never complained about problems. I keep asking question from them because I am getting an all port scan from there ip address. They have never said a word.

 

They probably don't look for it (the bogus traffic.) It's probably an inconsequential blip in their traffic. They're probably more interested in what happens on the non-DNS ports on their servers. Their not being happy with the registration traffic was a theoretical or metaphysical statement.

Do you have any method of inspecting the incoming packet that causes the firewall to report? Content might be revealing. You should probably refrain from posting any such content here. The non-specific contents should be enough, perhaps, to reveal what is going on.

Perhaps the previous reference to using the ISP DNS servers, by the ISP, was not only for resolution of public domain names, but also for listing your public domain names. I'm pretty sure they don't care whether it looks like one node in your domain is, or many nodes from your domain are, making DNS requests--the volume is the same for them either way.

 

I am having a company come in and put an analyser on. Hopefully that will give me some answers.

Thanks for your help.

 

Sure.

It would be interesting to hear what the analysis reveals.

 

It may be a week or two, but I will let you know.

Thanks for your help.