Microsoft KB Archive/255183

-

The information in this article applies to:


 * Microsoft Windows NT Server version 4.0

-

SYMPTOMS
Your Domain Name System (DNS) server is unable to resolve some domain names across a firewall.

CAUSE
This behavior can occur when the DNS server is internal to a server running CheckPoint's Firewall-1 (or another third-party firewall product). If the internal DNS server is configured for load balancing, the Internet Protocol (IP) address of the server that answers a query may be different from the address of the server the query is sent to. When an internal DNS server sends a query to a DNS server with a destination address that is different from the source address of the reply, the firewall drops the packet.

RESOLUTION
To work around this behavior, perform one of two options:


 * On the DNS server that is unable to resolve names, add the IP address of an external DNS server on the Forwarders tab of the Server Properties dialog box. The Forwarders option causes the internal DNS server to request a recursive DNS query to the external DNS server, so the answer is always from the same DNS server.
 * Set a rule on the firewall to allow any inbound traffic over Transmission Control Protocol (TCP) Port 53 destined to the IP address of the internal Microsoft DNS server. With this setting, the firewall does not drop the replies even though the replies are from a different source than the one the query was sent to.

Additional query words:

Keywords :

Version : winnt:4.0

Platform : winnt

Issue type : kbprb