Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

Slow DNS = Slow Proxy (or: How To Skip Name Resolution)

Today’s tip: When your rules require any degree of name resolution (which typically means that an access, routing or publishing rule is filtered by some kind of computer or domain set), you’re a slave to the speed of DNS’ response, at least until the response is cached.

ISA Server 2000 and ISA Server 2004 require DNS resolution for any rules that contain a specific destination set – whether a reverse lookup to work out where a SecureNAT client is trying to go (IP -> Name), or a forward lookup to work out where a Web Proxy client is trying to go (Name -> IP), or some other mix.

Inside a corporate network, it’s even money whether hosts can do Internet name resolution, and if your ISA box doesn’t have a direct line to the Internet, it’ll typically be reliant on your corporate DNS infrastructure.

And if your only source of DNS cheerfully (or worse, slowly and falteringly) answers “nope, never heard of him” about a given domain name, browsing to that domain is going to suck.

Just Skip It, Barry

If DNS and/or reliable enforcement of access policy isn’t your problem (using this setting, you’re essentially abdicating control of your access policy to the next hop in the chain – if you don’t want to do that, you need to ensure ISA can do DNS quickly and properly), you can use the SkipNameResolutionForAccessAndRoutingRules property for your respective version of ISA Server, which somewhat predictably tells ISA to skip name resolution for access rules and routing rules.

ISA 2000: 292018 Slow Response from Downstream ISA Server Using Web Proxy Chaining;EN-US;292018

ISA 2004: 891244 How to configure Internet Security and Acceleration Server 2004 to skip name resolution in a Web proxy chaining configuration;EN-US;891244