Solved

DNS Delegation

Posted on 2008-06-12
9
1,251 Views
Last Modified: 2008-06-12
I have a DNS Delegation question I want to clarify before I test it out.  We have an external BIND DNS namespace called corp.com and our internal AD domain is named lan.corp.com.  Users don't really know that they are on the lan.corp.com, so they often put in the FQDN of server.corp.com when it actually resides in lan.corp.com.

So, I was planning on creating two internal DNS Active-Directory Integrated zones called corp.com and lan.corp.com (name of the domain), and create a delegation on the corp.com zone to lan.corp.com zone. My understanding is that this would allow a user to type in server.corp.com and still have DNS resolve this record even though the actual A-host record resides in lan.corp.com.  Is this how it should work using a delegation.  I believe it should first go to corp.com and it will then see than server.corp.com does not exist, but with the delegation to lan.corp.com, it will automaitcally resolve it since there would be a A-host record for server in lan.corp.com... So, even though they enter a FQDN for a record that is not in corp.com, it will still resolve it in lan.corp.com.

0
Comment
Question by:rose6060
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21771179

In short, no. That's not going to work.

Delegation allows you to assign responsibility for a child name-space to other Name Servers.

If someone requests server.corp.com, but no explicit record, or wildcard, matches server.corp.com the DNS server authoritative for corp.com will return failure. It won't map that over to server.lan.corp.com, that's an entirely different query.

You normally bump into this kind of issue when a client is trying to resolve by host-name only.

e.g.

1. User asks for "server"
2. DNS Client is configured with DNS Suffix of "lan.corp.com"
3. DNS Client requests address for "server.lan.corp.com"
4. DNS Server replies does not exist because record only exists as server.corp.com.

In this situation the client would be reconfigured with additional Suffixes in it's search list, or with search parent suffixes set so that:

1. User asks for "server"
2. DNS Client is configured with DNS Suffixes of "lan.corp.com" and "corp.com"
3. DNS Client requests address for "server.lan.corp.com"
4. DNS Server replies does not exist
5. DNS Client requests address for "server.corp.com"
6. DNS Server responds with address

But that doesn't seem like it fits your situation, you want the client to search child suffixes rather than parent (appending suffixes is the job of the client, not the server)?

HTH

Chris
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21771394
As I believe I have already explained to you in one of your other questions (albeit not in as much detail!), a delegation simply instructs one DNS zone to lookup records for a subdomain in a separate zone, rather than storing all the subdomain records under the main zone.

As Chris has said, a lookup for "server.corp.com" will fail because the record doesn't exist. A lookup for "server.lan.corp.com" may be pointed and attempted to be looked up on the corp.com namespace. This is the point where the delegation comes in - the corp.com zone points the request towards the second zone, lan.corp.com, since the lan subdomain's records are not stored within the main corp.com namespace. The lan.corp.com zone will then look up server.lan.corp.com, and then just handle the request as if it's a normal, non-delegated DNS lookup.

The whole point of creating a Delegation is so you can host subdomains of one of DNS zones in their own separate zone - potentially on separate DNS servers. A delegation isn't a type of forwarder or anything like that though.

If you have further questions please post back.

-tigermatt
0
 

Author Comment

by:rose6060
ID: 21772579
Sorry for the confusion in my previous question, I may not have clearly explained what I was trying do.  We have users who actually put in the FQDN ie: server.corp.com rather than just server.  I understand that if they put in server, by using suffixes, we can resolve the request.  But, I was hoping to handle the request if they put in server.corp.com when the record is actually in lan.corp.com.  I guess we would have to put lan.corp.com records in our corp.com zone as well so they get resolved.  Is there really any advantage for us to use a delegation then?  If we still have two zones on our DNS server for both corp.com and lan.corp.com, then it will still check the hostname against the available DNS suffixes as Chris described above and get resolved.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 58

Expert Comment

by:tigermatt
ID: 21772619
You need a delegation if you intend on separating out the lan.corp.com records into their own zone. Doing this for your Active Directory domain is probably a good idea since it keeps it separate from the custom corp.com zone which you have created. The delegation in this case is required because it forwards lan.corp.com requests to the correct zone.

If it's just the server.corp.com record users are typing in, you could just create a CNAME in the corp.com zone for the server record. The CNAME should be configured so it points towards server.lan.corp.com. That would point requests for server.corp.com to server.lan.corp.com, without defining the IP address for that server twice.

-tigermatt
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 21772639

You don't particularly need a delegation. Technically it should be there, but practically it won't make a difference.

If you were to offload lan.corp.com onto an entirely different server you would. But, as it is, the server has authority for both and will find the records regardless.

Chris
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772856
I did think that was what the only time when it was required - I guess it just makes it fully compliant having it in there though!
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 21773045

Yeah :) Compliance is good for us :)

Chris
0
 

Author Comment

by:rose6060
ID: 21773371
OK... even though it doesn't sound like it is required, I'll do the delegation so that it is fully compliant and use cnames in corp.com to point to records in lan.corp.com as needed.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 21773387
That sounds like a good plan :-)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question