We have seen this problem with every installation of Windows Server 2008 R2 behind an ISA server. Clients are not able to resolve certain DNS names. We noticed that we had problems resolving all Microsoft .com sites.
All the other Microsoft site like www.microsoft.nl or www.bing.co.uk do work. So what gives? As it turns out in Windows 2008 R2 EDNS Probes is enabled by default. This can causes the DNS UDP packets to be larger than the ISA Servers DNS filter allows.
To fix this you need to execute the following command:
dnscmd <Server Name> /Config /EnableEDnsProbes 0