Joined: 21 Sep 2003 Posts: 16777097 Location: Portugal
Posted: Tue Jul 20, 2010 1:08 am Post subject: Re: Firewall and Internet Access
From what I understand when we request a page we don't need to connect to our own DNS is that right ?
When you request a page you need to connect to a DNS resolver. The client OSes typically don't implement their own recursive resolving; instead, they rely on you specifying the IP of a DNS server configured to perform recursive queries.
Assuming a Windows OS, this is what you would specify in the network connection's TCP/IP properties, where it says "DNS servers" or something similar. On a GNU/Linux OS, you would configure this in the /etc/resolv.conf file (assuming your system uses the BIND resolver library, which is almost always the case).
You didn't specify if your DNS server is an authoritative one, a recursive one, or both. Also, you didn't specify which DNS resolver the clients were configured to use. I'll assume it's configured to perform recursive queries, and that the clients are using that server as their resolver, since that fits with your description of the problem.
Allowing the DNS server to connect to external IPs through the DNS port should be sufficient for it to work properly... exactly how did you specify the rule? Are you allowing connections from your DNS server to the outside, to port 53 via UDP and TCP? You need to allow both UDP and TCP.
Also, as a final note, if the clients are indeed using your DNS server as a resolver, then there is no need to allow the clients to connect to outbound DNS -- they will only need to connect to your internal DNS server.
Another problem though I find that and my guess is the firewall drop a lot of web request
I have 16 clients computer behind my firewall when browsing sometimes the server drop the request and I have to refresh 2 - 3 times before it appear ?
The port I open for browsing is http,https ( default port )
I thought the problem should be in TCP request limit (http using tcp 80) so I set it to bigger simultaneous request such as 1000/min/client.
It doesn't change much.
Does it have a connection with my DNS Server such as it need a lot of resource and TCP request since it use as resolver from many client computer but due to low tcp request limit it keep dropping the request. Is it possible ?
Firewall -- Win Server 2003 with ISA Server 2006
Client -- Windows XP mostly
DNS -- Win Server 2003
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum