Planning for DNS name resolution
One of the most common issues facing administrators who deploy Microsoft Forefront Threat Management Gateway is how to configure Forefront TMG to resolve Domain Name System (DNS) requests. If DNS is configured incorrectly, the Forefront TMG computer fails to resolve either internal names or external names. Name resolution problems that present themselves can be intermittent in nature, difficult to track down, and can range from e-mail messages not being transmitted to users being unable to access the Internet through the Web proxy.
The DNS setting referred to in this document is under the advanced properties for TCP/IP for each individual network adapter on the Forefront TMG computer.
This document describes various Forefront TMG scenarios, details how to set up Forefront TMG for DNS for each scenario, and explains why each configuration is needed. It covers the simplest configuration, a single-homed Forefront TMG computer in a workgroup scenario, and also describes a complex scenario, that of a multi-homed Forefront TMG computer that is a domain member.
There are two rules to remember when setting up DNS on Forefront TMG. These rules apply to any Windows-based DNS configuration:
- No matter how many network adapters you have on the computer, only assign DNS servers to a single network adapter (it does not matter which one). There is no need to set up DNS on all network adapters.
- Always point DNS to either internal servers or external servers, never to both.
Multi-homed Forefront TMG computers have DNS settings for both external and internal network adapters. Depending on the situation, Forefront TMG will fail if this is not configured correctly.
There are several ways to correctly configure DNS, depending on the requirements of the Internal network.
Forefront TMG computers that are not domain members should be set up just like a Forefront TMG computer with one network adapter. If you have an internal DNS zone that you need to resolve, you should point DNS to a DNS server in the Internal network. The internal DNS server then forwards name resolution requests to your ISP’s DNS servers in the External network or uses root hints to forward them to root DNS servers for name resolution.
Domain member computer with full internal resolution
This is the most common setup. Multi-homed Forefront TMG computers that are members of the domain must point a network adapter only to internal DNS servers, because it must participate in the domain. The internal DNS servers need to forward name resolution requests to the ISP’s DNS servers in the External network or to root DNS servers. This allows internal clients to resolve both internal host names and host names on the Internet.
Isolating internal DNS servers
Another common scenario is where the internal DNS servers do not forward DNS queries to the Internet at all. This prevents both the internal DNS servers and clients who use them from resolving names on the Internet.
The Forefront TMG computer should not point to the internal DNS servers for name resolution but still has to resolve both internal and external DNS names. Set up another DNS server on the Forefront TMG computer itself, or designate a DNS server internally that is dedicated to resolving both internal and external DNS names.
On this new DNS server, set up a secondary namespace to your internal DNS namespace and then configure the DNS server to forward requests to root DNS servers or the ISP’s DNS servers for name resolution.
This solution effectively isolates the intranet namespace and eliminates cache pollution and poisoning issues on the internal DNS servers.
Single Network Adapter Scenarios
In this section, Forefront TMG is set up with one network adapter and can only function as a Web proxy and a caching server.
Workgroup computer with no internal DNS server
The Forefront TMG computer is not a member of a domain, and there is no internal DNS server. Point DNS queries to the ISP’s DNS servers in the External network.
Workgroup computer with an internal DNS server
A stand-alone Forefront TMG computer that is not a member of a domain, where an internal DNS server exists, should point to the internal DNS server to resolve internal names and should NOT point to a DNS server of the ISP in the External network as a secondary server. The internal DNS server should use forwarders to point to the ISP’s DNS servers in the External network or should forward the requests to root DNS servers (using root hints) so that the Forefront TMG computer can resolve external names. If the Forefront TMG computer does not need to resolve internal DNS names at all, it can safely point to the ISP’s DNS servers.
Q: Why can’t I point to the Windows DNS first, and then to the ISP's DNS server?
A: A common misconception is that you achieve fault tolerance by pointing to the Windows domain first, and then the ISP’s DNS server. The problem is that if the first DNS server fails, Forefront TMG will use the second DNS server and never go back to the original DNS server unless the second DNS server fails. DNS will work until you bring down the internal DNS server for maintenance, then a few hours later no one can get access to the Internet because you can’t validate the user against the domain. Restarting the Forefront TMG computer will solve this problem.
Q: Why not point the external Forefront TMG network adapter to the ISP for DNS?
A: The problem here is that Forefront TMG does not know what is internal or external when trying to resolve names. This means Forefront TMG can end up trying to resolve internal names to the external ISP. Once it receives “name not found”, the Forefront TMG computer will not look for the internal name again, and you will fail to participate in the domain.