Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

Slow DNS = Slow Proxy (or: How To Skip Name Resolution)

Slow DNS = Slow Proxy (or: How To Skip Name Resolution)

  • Comments 1
  • Likes

Today's tip: When your rules require any degree of name resolution (which typically means that an access, routing or publishing rule is filtered by some kind of computer or domain set), you're a slave to the speed of DNS' response, at least until the response is cached.

ISA Server 2000 and ISA Server 2004 require DNS resolution for any rules that contain a specific destination set - whether a reverse lookup to work out where a SecureNAT client is trying to go (IP -> Name), or a forward lookup to work out where a Web Proxy client is trying to go (Name -> IP), or some other mix.

Inside a corporate network, it's even money whether hosts can do Internet name resolution, and if your ISA box doesn't have a direct line to the Internet, it'll typically be reliant on your corporate DNS infrastructure.

And if your only source of DNS cheerfully (or worse, slowly and falteringly) answers "nope, never heard of him" about a given domain name, browsing to that domain is going to suck.

Just Skip It, Barry

If DNS and/or reliable enforcement of access policy isn't your problem (using this setting, you're essentially abdicating control of your access policy to the next hop in the chain - if you don't want to do that, you need to ensure ISA can do DNS quickly and properly), you can use the SkipNameResolutionForAccessAndRoutingRules property for your respective version of ISA Server, which somewhat predictably tells ISA to skip name resolution for access rules and routing rules.

ISA 2000: 292018 Slow Response from Downstream ISA Server Using Web Proxy Chaining
http://support.microsoft.com/default.aspx?scid=kb;EN-US;292018

ISA 2004: 891244 How to configure Internet Security and Acceleration Server 2004 to skip name resolution in a Web proxy chaining configuration
http://support.microsoft.com/default.aspx?scid=kb;EN-US;891244

 

Comments
  • If elected I solemnly promise no further technical content until FY07.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment