[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How do I use split DNS to override some records but not all?

Posted on 2007-10-14
13
Medium Priority
?
1,386 Views
Last Modified: 2008-06-01
I have 2 DNS servers running Windows 2003, one to resolve external requests for all the domain we host, and one to run with Active Directory. I have the problem that half of the services on our domain are hosted internally and half externally. All of these services are accesible externally, but internally I need to override the IPs for the obvious ones such as mail. and a few development staging sites.

Our external facing DNS records are ammended very regularly, and I don't want to have to add them twice because we need 2 servers. Is it possible to setup windows DNS to resolve requests for the domain, but pass on requests it doesn't hold a record for to the other server?
0
Comment
Question by:flyjedi
13 Comments
 
LVL 15

Expert Comment

by:JimboEfx
ID: 20074860
You are in a bit of a bind (pardon the pun!)

The one downside of split brain dns has always been the manual config of Records for external services.

White paper here:
http://www.microsoft.com/serviceproviders/resources/techresarticlesdnssplit.mspx

Your AD/DNS server will consider itself authoritative for that zone so that presents the problem.

I have no up front solution - unless of course I'm wrong in which case an expert here will correct me in short order.

Ideally what you need to do is pull the external records in from your external DNS server (just thinking out loud here) in  some sort of scripted fashion.

Will be watching this thread with interest.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20074868
Can you provide a specific example (replace domain names where you see fit) please?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20074889
Hmmm, perhaps I do follow - if I understand you correctly, you've named your internal AD the same as your public web presence.  There seems to a be a flood of these kind of questions/problems recently ... anyway, is my understand correct?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 20075051
basically, what you are asking, no.....you if you run split DNS then you are stuck with manually updating what the server see's as an authorative zone.....down fall of split DNS but not a huge deal, you jast have to have a set procedure when updating
0
 
LVL 2

Author Comment

by:flyjedi
ID: 20076687
OK I'll give some more detail. The domain in quesiton is company.com. Our internal DNS runs on internal.company. We are a web development company and have around 300 A/CNAME records on our company.com zone which are staging sites for customers. These sites are hosted in various locations, some internally some externally. Obviously internally they are not visible on the same address as externally - thats the first problem. Next problem is setting up email etc for laptop users, browsing extranet, etc requires split DNS again.

What I thought originally is the same as JimboEfx, that it must somehow be possible to copy the records. The problem is how do I prevent it from overwriting the ones I have changed for internal addresses?

Is it possible to setup the comapny.com DNS internally as non-authorative and foward all queries that it doesn't hold a record for? Surely the only one AD needs authority over is internal.company?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20077576
That helps ... and you're correct regarding AD; it requires authority over only the portion of the namespace after which it is named (out of interest, is that 'internal.company' or 'internal.company.com'?)

So, as it stands right now ... your internal DNS infrastructure does NOT house a copy of 'company.com' ... is that true or false?  All name resolution requests for 'company.com' are handled by the public zone but a number of them fail because the internal users reach those end-points in a manner sufficiently different to break things, i.e. perhaps they're not hitting the necessary reverse NAT box, perhaps the routes don't work internally ... again, correct?
0
 
LVL 2

Author Comment

by:flyjedi
ID: 20077606
It's internal.company, not internal.company.com

Yes the internal queries that hit this server get sent back a public IP that cannot be reached from internally. If I could find a way round this a whole load of problems would be solved but I don't believe thats going to happen any time soon.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20077781
We'll see, I'm not convinced yet but still need a little more info.  

1. Are the name servers running on DCs?  
2. How many other DNS servers do you have?
   - are they running on DCs too?
3. Where do your domain members/clients preferred, alternate, tertiary etc. DNS resolvers point to?
4. Please confirm (thus far, it's only implied) that you do NOT maintain a copy of 'company.com' internally
0
 
LVL 2

Author Comment

by:flyjedi
ID: 20077868
OK relevant servers on the network are:

DC-01 - This is the domain controller, and also hosts the internal dns for internal.company. This fowards requests to our ISPs NS servers if it can't resolve. It contains a zone for company.com containing just NS records pointing at NS-01 (otherwise company.com would not resolve at all for internal clients)

NS-01 - This is just a DNS server, however is joined ot the domain, storing it's zones in files. This is on a public IP and is authoriative for comapny.com

At the moment there is only the 1 DNS server for internal and the 1 for external. This is somehting I plan to change but I want to get it all working before expanding that.

The only DNS server refered to by DHCP and therefore all clients internally is DC-01.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20077904
>> DC-01 - This is the domain controller, and also hosts the internal dns for internal.company. This fowards requests
>> to our ISPs NS servers if it can't resolve. It contains a zone for company.com containing just NS records pointing
>> at NS-01 (otherwise company.com would not resolve at all for internal clients)
This is a stub zone (I hope)?

0
 
LVL 9

Accepted Solution

by:
MSE-dwells earned 2000 total points
ID: 20078429
... I need to step away for a minute so I'll work on the assumption that it is indeed a stub zone as I suspect.

That said, I believe I've got sufficient information.  This can be done ... and while it is unconventional, it's by no means a bad configuration.  That said, it will almost certainly generate additional manual admin. work depending on the volatility of and the number of records that you dupe internally.  Here's how the solution pans out -

1. Setup as follows:

- public namespace is 'company.com'
- AD namespace is 'internal.company'
- two name servers exist:  DC-01 and NS-01
 * DC-01
    = internal facing
    = forwards to ISP name server(s)
    = is a Windows 2003 Domain Controller
    = houses 'internal.company' (primary AD-integrated / not relevant in this context really)
    = houses 'company.com' (non-AD-integrated stub zone mastered on NS-01)
    = ALL clients resolve here and here alone
 * NS-01
    = public facing
       + also services internally-originated name resolution requests from DC-01 due to DC-01's stub zone
    = a Windows 2003 domain member
    = public address
    = houses public-facing 'company.com'

2. Problem scenario:

- internal client attempts to browse to 'www.company.com'
- client submits A-record recursive query against DC-01 name server
- DC-01 uses stub zone and submits iterative query against NS-01
- NS-01 returns result to DC-01
    = result contains the public IP address of the site
- DC-01 caches address and returns to requesting client
- client attempts to connect to address and fails due to specifics of internal routing

3. Solution - to solve the problem scenario I outlined above, implement the following (repeat for each problem instance):

- on DC-01
  * create a new forward-lookup AD-integrated DNS zone named 'www.company.com'
    = again, you must name the zone including the 'www' (or whatever is relevant) prefix
    = configure the replication scope to 'All DNS servers in the forest'
      + this takes future scaling-out into account but is not mandatory by any means
    = create a new A-record within the 'www.company.com' zone
      + do NOT give the A-record a name
        * the interface uses the following verbiage - 'uses parent domain name if blank'
    = enter the private-facing IP address of 'www.company.com' and click OK to finish creating the record
    = clear the DNS server's cache
- on any client
  * browse to 'www.company.com'
    = should resolve to internal address
  * browse to 'somethingelse.company.com'
    = should resolve to public address

NOTE - in the unlikely, though certainly possible event you EVER require that an A record for 'somethingelse.www.company.com' resolves from the public-facing namespace, you will have to manage this manually or delegate the subordinate namespace(s) back to NS-01.

Let me know how it goes.

   

0
 
LVL 2

Author Comment

by:flyjedi
ID: 20078614
Ah yes good solution I should have thought of that weeks ago. Create new zones for just the records that have need changing. OK I'll give this a go and let you know how it goes.
0
 
LVL 2

Author Comment

by:flyjedi
ID: 20078663
Yep thats worked perfectly thanks for that
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question