The saga continues.

When I hardwire a DNS into my client, it works. Sort of.

I can get to transterrestrial.com, but pages from Instapundit and National Review (and who knows which else?) won't load.

This is the case not only for my original solution of Earthlink's IPs, but also for Dave Mercer's recommendation of cybertrails.com's.

What the heck is going on?

I'm having problems with a simple dial-up and AOL. Two sites just lock up the system, all others OK. Extremely unlikely my problem is related to yours, but paranoid minds want to know.

Rich

Wow, now that IS weird!

Is the reachability of the sites consistent across client machines? And do those machines all have the same dns server setting? And is that the router (machine running ICS) which is forwarding dns or are they directly using the hardwired dns server ip?

As of the timestamp on this post (as a data point) the cybertrails.com dns server is replying fine for www.nationalreview.com and www.instapundit.com. Still smells like ICS/ZA trouble, I know that that's not what you want to hear, but it is very much sounding like the troubles I've had myself with that same combo. We could get google, but not yahoo, etc. with no seeming moment to moment rhyme or reason, nor ZA log entries.

Like you're experiencing! :-(

You could use a floppy or CD bootable linux distro on your gateway box (leaving the underlying Windows alone until it's a client again).

I know, how to I get to one? Well here're direct google IP's to use if dns is flaking out still and you want to go hunting in those woods: 216.239.57.147, 216.239.57.99, 216.239.57.104

Note that if you click on the 'cache' button on a google hit when you got to google from a raw IP that the cached copies still link to that IP. They're "I'm on the other end of a piece of string" surfin' friendly like that! :-)

DNS gets cached locally, so your own site may work while other sites don't. Sounds like your firewall is blocking DNS replies (outbound stuff is usually not blocked at all), or the gateway machine isn't forwarding the responses via NAT back to the requesting cient.

Have you tried setting the DNS for 192.168.0.1 on your clients?

What happens when you invoke NSLOOKUP on a client and specify an external server? What does a lookup for transterrestrial.com do? bozo.com (66.77.49.93)? If you get timeouts (likely), what happens when you do the same on the gateway?

I'm betting that the problem is only in the clients, and is related to not passing incoming UDP traffic on DNS inside. Is there a firewall log?

You should be allowing incoming UDP traffic FROM port 53 to any address above 1023 to be forwarded through the gateway to the inside.

If you have a DNS server inside, then you also have to allow incoming UDP traffic TO port 53. In this case, TCP traffic from and to port 53 should also be allowed.

I'm betting that the problem is only in the clients, and is related to not passing incoming UDP traffic on DNS inside.

Yes.

Is there a firewall log?

Yes, but it's not showing any blocks to/from the LAN. Which, apparently, being Zone Alarm, doesn't mean it isn't happening.

You should be allowing incoming UDP traffic FROM port 53 to any address above 1023 to be forwarded through the gateway to the inside.

That may be the problem. Incoming UDP is currently blocked. I have to submit a port range. If 1023 is the lower number, what should the upper one be?

upper is 65535 (the port is randomly selected each time from that range)

Oh, the lower number is 1024 ("above 1023")

In answer to your other question, when I do "nslookup transterrestrial" (with default DNS settings on the client), I get:

DNS Request times out, can't find server name for address 192.168.0.1: Times out
Default servers are not available.