rose6060
asked on
DNS Delegation
I have a DNS Delegation question I want to clarify before I test it out. We have an external BIND DNS namespace called corp.com and our internal AD domain is named lan.corp.com. Users don't really know that they are on the lan.corp.com, so they often put in the FQDN of server.corp.com when it actually resides in lan.corp.com.
So, I was planning on creating two internal DNS Active-Directory Integrated zones called corp.com and lan.corp.com (name of the domain), and create a delegation on the corp.com zone to lan.corp.com zone. My understanding is that this would allow a user to type in server.corp.com and still have DNS resolve this record even though the actual A-host record resides in lan.corp.com. Is this how it should work using a delegation. I believe it should first go to corp.com and it will then see than server.corp.com does not exist, but with the delegation to lan.corp.com, it will automaitcally resolve it since there would be a A-host record for server in lan.corp.com... So, even though they enter a FQDN for a record that is not in corp.com, it will still resolve it in lan.corp.com.
So, I was planning on creating two internal DNS Active-Directory Integrated zones called corp.com and lan.corp.com (name of the domain), and create a delegation on the corp.com zone to lan.corp.com zone. My understanding is that this would allow a user to type in server.corp.com and still have DNS resolve this record even though the actual A-host record resides in lan.corp.com. Is this how it should work using a delegation. I believe it should first go to corp.com and it will then see than server.corp.com does not exist, but with the delegation to lan.corp.com, it will automaitcally resolve it since there would be a A-host record for server in lan.corp.com... So, even though they enter a FQDN for a record that is not in corp.com, it will still resolve it in lan.corp.com.
As I believe I have already explained to you in one of your other questions (albeit not in as much detail!), a delegation simply instructs one DNS zone to lookup records for a subdomain in a separate zone, rather than storing all the subdomain records under the main zone.
As Chris has said, a lookup for "server.corp.com" will fail because the record doesn't exist. A lookup for "server.lan.corp.com" may be pointed and attempted to be looked up on the corp.com namespace. This is the point where the delegation comes in - the corp.com zone points the request towards the second zone, lan.corp.com, since the lan subdomain's records are not stored within the main corp.com namespace. The lan.corp.com zone will then look up server.lan.corp.com, and then just handle the request as if it's a normal, non-delegated DNS lookup.
The whole point of creating a Delegation is so you can host subdomains of one of DNS zones in their own separate zone - potentially on separate DNS servers. A delegation isn't a type of forwarder or anything like that though.
If you have further questions please post back.
-tigermatt
As Chris has said, a lookup for "server.corp.com" will fail because the record doesn't exist. A lookup for "server.lan.corp.com" may be pointed and attempted to be looked up on the corp.com namespace. This is the point where the delegation comes in - the corp.com zone points the request towards the second zone, lan.corp.com, since the lan subdomain's records are not stored within the main corp.com namespace. The lan.corp.com zone will then look up server.lan.corp.com, and then just handle the request as if it's a normal, non-delegated DNS lookup.
The whole point of creating a Delegation is so you can host subdomains of one of DNS zones in their own separate zone - potentially on separate DNS servers. A delegation isn't a type of forwarder or anything like that though.
If you have further questions please post back.
-tigermatt
ASKER
Sorry for the confusion in my previous question, I may not have clearly explained what I was trying do. We have users who actually put in the FQDN ie: server.corp.com rather than just server. I understand that if they put in server, by using suffixes, we can resolve the request. But, I was hoping to handle the request if they put in server.corp.com when the record is actually in lan.corp.com. I guess we would have to put lan.corp.com records in our corp.com zone as well so they get resolved. Is there really any advantage for us to use a delegation then? If we still have two zones on our DNS server for both corp.com and lan.corp.com, then it will still check the hostname against the available DNS suffixes as Chris described above and get resolved.
You need a delegation if you intend on separating out the lan.corp.com records into their own zone. Doing this for your Active Directory domain is probably a good idea since it keeps it separate from the custom corp.com zone which you have created. The delegation in this case is required because it forwards lan.corp.com requests to the correct zone.
If it's just the server.corp.com record users are typing in, you could just create a CNAME in the corp.com zone for the server record. The CNAME should be configured so it points towards server.lan.corp.com. That would point requests for server.corp.com to server.lan.corp.com, without defining the IP address for that server twice.
-tigermatt
If it's just the server.corp.com record users are typing in, you could just create a CNAME in the corp.com zone for the server record. The CNAME should be configured so it points towards server.lan.corp.com. That would point requests for server.corp.com to server.lan.corp.com, without defining the IP address for that server twice.
-tigermatt
You don't particularly need a delegation. Technically it should be there, but practically it won't make a difference.
If you were to offload lan.corp.com onto an entirely different server you would. But, as it is, the server has authority for both and will find the records regardless.
Chris
I did think that was what the only time when it was required - I guess it just makes it fully compliant having it in there though!
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
OK... even though it doesn't sound like it is required, I'll do the delegation so that it is fully compliant and use cnames in corp.com to point to records in lan.corp.com as needed.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
In short, no. That's not going to work.
Delegation allows you to assign responsibility for a child name-space to other Name Servers.
If someone requests server.corp.com, but no explicit record, or wildcard, matches server.corp.com the DNS server authoritative for corp.com will return failure. It won't map that over to server.lan.corp.com, that's an entirely different query.
You normally bump into this kind of issue when a client is trying to resolve by host-name only.
e.g.
1. User asks for "server"
2. DNS Client is configured with DNS Suffix of "lan.corp.com"
3. DNS Client requests address for "server.lan.corp.com"
4. DNS Server replies does not exist because record only exists as server.corp.com.
In this situation the client would be reconfigured with additional Suffixes in it's search list, or with search parent suffixes set so that:
1. User asks for "server"
2. DNS Client is configured with DNS Suffixes of "lan.corp.com" and "corp.com"
3. DNS Client requests address for "server.lan.corp.com"
4. DNS Server replies does not exist
5. DNS Client requests address for "server.corp.com"
6. DNS Server responds with address
But that doesn't seem like it fits your situation, you want the client to search child suffixes rather than parent (appending suffixes is the job of the client, not the server)?
HTH
Chris