I am having issues with DNS lookups timing out on all computers. I enabled the TMG DNS system policy and added another firewall policy to allow all DNS from anywhere to anywhere. The monitor shows no denied DNS connections.
The DC/DNS/DHCP/Wins server is a Windows 2008 R2 64 bit server. DNS has 2 external forward servers that fail to resolve and reverse lookup pointers for all computers.
Here is the ipconfig and dnslookup console log:
C:\>ipconfig/all
Host Name . . . . . . . . . . . . : APOLLO
Primary Dns Suffix . . . . . . . : estar.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : estar.com
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Local Area Connection - Virtual Network
Physical Address. . . . . . . . . : 84-2B-2B-00-8F-BF
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c0a8:fe0f%16(Preferred)
Link-local IPv6 Address . . . . . : fe80::7802:18:9370:4669%16(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.254.15(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::c0a8:fe0b%16
192.168.254.11
DHCPv6 IAID . . . . . . . . . . . : 293874475
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-1B-27-53-84-2B-2B-00-8F-BF
DNS Servers . . . . . . . . . . . : 192.168.254.15
68.87.68.162
68.87.74.162
Primary WINS Server . . . . . . . : 192.168.254.15
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 192.168.254.15
C:\>nslookup www.google.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: ::1
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
The Gateway/ForeFront TMG server is a Windows 2008 R2 64 bit server. Here is the ipconfig and dnslookup console log:
C:\>ipconfig/all
Host Name . . . . . . . . . . . . : AGUIRRE
Primary Dns Suffix . . . . . . . : estar.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : estar.com
Ethernet adapter Internal NIC:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client) #2
Physical Address. . . . . . . . . : 00-1C-23-CD-87-24
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::211c:a611:bba9:6c09%12(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.254.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 301997091
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-D8-60-67-00-1C-23-CD-87-22
DNS Servers . . . . . . . . . . . : 192.168.254.15
68.87.68.162
68.87.74.162
Primary WINS Server . . . . . . . : 192.168.254.15
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter External NIC:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-1C-23-CD-87-22
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::c574:e9c8:3e05:ab%11(Preferred)
IPv4 Address. . . . . . . . . . . : 70.91.104.193(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 70.91.104.194
DHCPv6 IAID . . . . . . . . . . . : 234888227
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-D8-60-67-00-1C-23-CD-87-22
DNS Servers . . . . . . . . . . . : 192.168.254.15
68.87.68.162
68.87.74.162
NetBIOS over Tcpip. . . . . . . . : Disabled
C:\ >nslookup
Default Server: apollo.estar.com
Address: 192.168.254.15
C:\>nslookup www.google.com
Server: apollo.estar.com
Address: 192.168.254.15
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to apollo.estar.com timed-out
Are you allowing both TCP/53 and UDP/53 inbound and outbound for the DNS traffic? Not sure if TMG has rulesets which automatically allow all of these in one setting or whether you need to specify them all separately.