none
Error Code 11001: Host not found

    Question

  • I have ISA 2006 , it has 2 interfaces ( internal + DMZ) , and i have applied 2 rules ,

    1- allow internal and local host to external , all protocols , for all users

    2- allow my internal DNS to query dns from my ISP DNS ( I have setup a computer set for ISP dns servers , and another one for my internal DNS servers)

    but the problem is some websites like microsoft.com , cant be opening with this error

    Error Code 11001: Host not found
    Background: This error indicates that the gateway could not find the IP
    address of the website you are trying to access. This is usually due to a
    DNS-related error.
    Source: DNS error
    Error Code 11001: Host not found

    i cant open this website on the isa server also !! but i can access it if i specidfy the IP address of microsoft.com

    any idea why is this happining ? do i need to apply any rule ?

    Thursday, January 20, 2011 5:55 AM

Answers

  • Hi,

     

    Thank you for the post.

     

    “allow internal and local host to external , all protocols , for all users”- it is not recommended to create “4 all” rule in production environment. You may allow http/https protocol from internal to external for certain users or group.

     

    “allow my internal DNS to query DNS from my ISP DNS ( I have setup a computer set for ISP dns servers , and another one for my internal DNS servers)” - on the Access Rule Destinations page, please add External entry and see if it works?

     

    Regards,


    Nick Gu - MSFT
    Friday, January 21, 2011 5:26 AM
    Moderator

All replies

  • Hi Ahmed

    Have you specified DNS servers on both DMZ and Internal NIC?
    Only specify the internal DNS server on the internal NIC and leave it empty at the DMZ.
    Check the binding order on the NIC with the Internal NIC on top.

    Another big problem, when you specify rules for all traffic from the ISA server (localhost) and internal to the external your ISA firewall becomes a normal windows server.
    There is already  a system policy that allows DNS request from the ISA server to all networks.

    For the DNS traffic from the internal DNS servers only specify a rule for a computer set of your internal DNS servers IP adresses to External (or your ISP DNS if you use them as DNS Forwarders)

    I hope this helps, and if not please give us more information about your Network/NIC configuration and DNS infrastructure.
    Best regards,

    Anders

    • Edited by MrAndersMVP Thursday, January 20, 2011 8:09 AM spelling
    Thursday, January 20, 2011 8:08 AM
  • On the DMZ i did not specify any DNS server , and on the internal i have specify the internal DNS server

    My internal NIC is on the top and the DMZ on the second,

    this is my NIC config :

    Ethernet adapter DMZ:

       Connection-specific DNS Suffix  . :
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 172.16.100.4
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 172.16.100.1

    Ethernet adapter Internal:

       Connection-specific DNS Suffix  . :
       DHCP Enabled. . . . . . . . . . . : No
       IP Address. . . . . . . . . . . . : 172.16.2.5
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . :
       DNS Servers . . . . . . . . . . . : 172.16.2.12
                                           172.16.2.20

     

     on the allow all traffic rule , i have removed local host and keep only internal to external , for all users. 

    on the DNS rule , i already added one computer set that contain my DNS servers , and another one for my ISP DNS.

    still it is not working  !!

    what else i can do to know what is really the problem ?

     

     

     

    Thursday, January 20, 2011 9:49 AM
  • Hello,

    Can you please run "nslookup microsoft.com" or any other site that fails in command prompt and post the result?

    Also when running nslookup, can you monitor ISA log and post the relevant line?

    Thanks,


    Alex Zvansky TMG Product Group
    Thursday, January 20, 2011 12:33 PM
  • Hi,

     

    Thank you for the post.

     

    “allow internal and local host to external , all protocols , for all users”- it is not recommended to create “4 all” rule in production environment. You may allow http/https protocol from internal to external for certain users or group.

     

    “allow my internal DNS to query DNS from my ISP DNS ( I have setup a computer set for ISP dns servers , and another one for my internal DNS servers)” - on the Access Rule Destinations page, please add External entry and see if it works?

     

    Regards,


    Nick Gu - MSFT
    Friday, January 21, 2011 5:26 AM
    Moderator
  • I have no clue what you wrote or how to implement any changes to fix the problem
    Tuesday, November 20, 2012 3:49 PM