Solved

DNS Delegation

Posted on 2008-06-12
9
1,245 Views
Last Modified: 2008-06-12
I have a DNS Delegation question I want to clarify before I test it out.  We have an external BIND DNS namespace called corp.com and our internal AD domain is named lan.corp.com.  Users don't really know that they are on the lan.corp.com, so they often put in the FQDN of server.corp.com when it actually resides in lan.corp.com.

So, I was planning on creating two internal DNS Active-Directory Integrated zones called corp.com and lan.corp.com (name of the domain), and create a delegation on the corp.com zone to lan.corp.com zone. My understanding is that this would allow a user to type in server.corp.com and still have DNS resolve this record even though the actual A-host record resides in lan.corp.com.  Is this how it should work using a delegation.  I believe it should first go to corp.com and it will then see than server.corp.com does not exist, but with the delegation to lan.corp.com, it will automaitcally resolve it since there would be a A-host record for server in lan.corp.com... So, even though they enter a FQDN for a record that is not in corp.com, it will still resolve it in lan.corp.com.

0
Comment
Question by:rose6060
  • 4
  • 3
  • 2
9 Comments
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21771179

In short, no. That's not going to work.

Delegation allows you to assign responsibility for a child name-space to other Name Servers.

If someone requests server.corp.com, but no explicit record, or wildcard, matches server.corp.com the DNS server authoritative for corp.com will return failure. It won't map that over to server.lan.corp.com, that's an entirely different query.

You normally bump into this kind of issue when a client is trying to resolve by host-name only.

e.g.

1. User asks for "server"
2. DNS Client is configured with DNS Suffix of "lan.corp.com"
3. DNS Client requests address for "server.lan.corp.com"
4. DNS Server replies does not exist because record only exists as server.corp.com.

In this situation the client would be reconfigured with additional Suffixes in it's search list, or with search parent suffixes set so that:

1. User asks for "server"
2. DNS Client is configured with DNS Suffixes of "lan.corp.com" and "corp.com"
3. DNS Client requests address for "server.lan.corp.com"
4. DNS Server replies does not exist
5. DNS Client requests address for "server.corp.com"
6. DNS Server responds with address

But that doesn't seem like it fits your situation, you want the client to search child suffixes rather than parent (appending suffixes is the job of the client, not the server)?

HTH

Chris
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21771394
As I believe I have already explained to you in one of your other questions (albeit not in as much detail!), a delegation simply instructs one DNS zone to lookup records for a subdomain in a separate zone, rather than storing all the subdomain records under the main zone.

As Chris has said, a lookup for "server.corp.com" will fail because the record doesn't exist. A lookup for "server.lan.corp.com" may be pointed and attempted to be looked up on the corp.com namespace. This is the point where the delegation comes in - the corp.com zone points the request towards the second zone, lan.corp.com, since the lan subdomain's records are not stored within the main corp.com namespace. The lan.corp.com zone will then look up server.lan.corp.com, and then just handle the request as if it's a normal, non-delegated DNS lookup.

The whole point of creating a Delegation is so you can host subdomains of one of DNS zones in their own separate zone - potentially on separate DNS servers. A delegation isn't a type of forwarder or anything like that though.

If you have further questions please post back.

-tigermatt
0
 

Author Comment

by:rose6060
ID: 21772579
Sorry for the confusion in my previous question, I may not have clearly explained what I was trying do.  We have users who actually put in the FQDN ie: server.corp.com rather than just server.  I understand that if they put in server, by using suffixes, we can resolve the request.  But, I was hoping to handle the request if they put in server.corp.com when the record is actually in lan.corp.com.  I guess we would have to put lan.corp.com records in our corp.com zone as well so they get resolved.  Is there really any advantage for us to use a delegation then?  If we still have two zones on our DNS server for both corp.com and lan.corp.com, then it will still check the hostname against the available DNS suffixes as Chris described above and get resolved.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772619
You need a delegation if you intend on separating out the lan.corp.com records into their own zone. Doing this for your Active Directory domain is probably a good idea since it keeps it separate from the custom corp.com zone which you have created. The delegation in this case is required because it forwards lan.corp.com requests to the correct zone.

If it's just the server.corp.com record users are typing in, you could just create a CNAME in the corp.com zone for the server record. The CNAME should be configured so it points towards server.lan.corp.com. That would point requests for server.corp.com to server.lan.corp.com, without defining the IP address for that server twice.

-tigermatt
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 70

Expert Comment

by:Chris Dent
ID: 21772639

You don't particularly need a delegation. Technically it should be there, but practically it won't make a difference.

If you were to offload lan.corp.com onto an entirely different server you would. But, as it is, the server has authority for both and will find the records regardless.

Chris
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21772856
I did think that was what the only time when it was required - I guess it just makes it fully compliant having it in there though!
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 21773045

Yeah :) Compliance is good for us :)

Chris
0
 

Author Comment

by:rose6060
ID: 21773371
OK... even though it doesn't sound like it is required, I'll do the delegation so that it is fully compliant and use cnames in corp.com to point to records in lan.corp.com as needed.
0
 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 21773387
That sounds like a good plan :-)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now