Forefront TMG relies on the Server Domain Name System (DNS) for domain name resolution, for both inbound and outbound traffic. This topic is designed to help you plan domain name resolution for Forefront TMG.
When you configure DNS settings on Forefront TMG, follow these guidelines:
- Configure DNS only for a single adapter on
the Forefront TMG computer, regardless of the number of network
adapters that are installed on the computer.
- The adapter on which you configure DNS must
the topmost adapter in the Forefront TMG Network Adapters list, in
the Networks node.
- Wherever possible, configure DNS servers that
reside in the internal network. In deployments where Forefront TMG
is installed in a workgroup environment, the following exceptions
apply:
- If Forefront TMG is deployed in a network
without an internal DNS server, configure the DNS server of the
network’s Internet service provider (ISP).
- If Forefront TMG is deployed in a network
where the internal DNS server is not connected to the Internet,
install an additional, dedicated DNS server in the internal
network. This server should query the ISP’s DNS server for external
name resolution, and the internal DNS for internal name
resolution.
Note:You can install the additional DNS server anywhere in the internal network, including on the Forefront TMG computer.
- If Forefront TMG is deployed in a network
without an internal DNS server, configure the DNS server of the
network’s Internet service provider (ISP).
- The internal DNS servers must forward name
resolution requests to the ISP’s DNS servers in the external
network, or to root DNS servers. This allows internal clients to
resolve both internal host names and host names on the
Internet.
- The DNS servers should use either forwarders
or root hints to resolve external names.
- In deployments where Forefront TMG is a
domain member, the DNS servers must be in the same domain as
Forefront TMG, or in domains with trust relationships with the
Forefront TMG domain.