My basic question is “Why do DNS queries from the TMG server itself first go to the VPN DNS Servers rather than the ISP DNS Server configured on the internal NIC?”
Further details and diagnostics below
I have a TMG Firewall with
- 3 NICs (Internal, External, DMZ) with network binding order of
- First = Internal,
- External,
- DMZ,
- Last = (Remote Access Cnnections)
- a number of PPTP site-2-site VPNs
- the DNS service running with
- stub zones to my internal Active-Directory DNS domains
- forwarders set up to my ISPs DNS servers
- internal NIC had DNS server set as itself and all other NICs have blank DNS entries
DHCP is configured so clients set their DNS server to the TMG Server
If I run a network trace on the TMG Server and filter based on (tcp.port == 53 or udp.Port == 53) and (ipv4.address == 10.x.x.x or ipv4.Address == )
When I, for example, ping zzzzz.com from a client that has the Firewall Client enabled I observe - no DNS requests coming from the client from which I conclude that DNS requests are coming down the firewall client control channel - DNS requests for zzzzz.com going out to all the various Site-2-Site VPN DNS Servers and then eventually to the External ISP DNS Server - After about 12s a DNS request from the client directly to TMG with an immediate response
If I disable the Firewall client or do an nslookup directly from the client then within < 1 second I see - a DNS request form the client - a DNS request and response to the External ISP DNS Server - a DNS response to the client Which is exactly what I want and would expect!!
Also, if I do an nslookup from the TMG server itself it first goes to the VPN DNS Servers rather than the ISP DNS Server configured on the internal NIC
Note that I know that the DNS set up is not quite as described here http://technet.microsoft.com/en-us/library/cc995245.aspx and I am planning to move over to that DNS architecture. However, I don’t think that is the cause of the problem above and I suspect my issues will remain once I do that as it fundamentally boils down to the following question
Why do DNS queries from the TMG server itself first go to the VPN DNS Servers rather than the ISP DNS Server configured on the internal NIC and is there a way to stop it happening.
There is a nice Technet-article dedicated to configuring DNS when using a TMG-firewall.
http://technet.microsoft.com/en-us/library/cc995245.aspx
Conclusion: Forward all dns-request to a DNS-server, and configure that DNS-server to forward the remote request to the DNS-server of your ISP.
Use a 'conditional forwarder' to resolve the DNS-names behind your site2site VPN's.