We help IT Professionals succeed at work.

DNS Zone Lookup Forwarding

I need to internally redirect some host records for our public DNS domain for internal client access but retain dns forwarding for any records that arent hosted internally.

Example: public domain 'company.com.au' is hosted on an external DNS server.

As an example, if I have ftp.company.com.au as a public A record that points to a public IP that is port forwarded through our firewall to an internal ftp server, internal clients cannot connect due to what I assume is a routing issues going out the firewall and back in again. Is this normal?

To get around this traditionally, I have created a duplicate forward lookup zone on our internal DNS servers, and created custom A records that point to the internal server IP's and this works fine.

The thing I am curious about, is should this zone still be able to forward out to the root hint servers for hosts that DNS cannot resolve? Or once I create an internal dns zone, does the lookup end there. I dont want to have to create duplicate A records that match the puclic one's.

Is this by deisgn as not to cause too much issue with your .local domain dns resolution. And if so, is there a way to force it to go external, after it tried an internal lookup, if it cant match DNS on the internal zone? Is this where conditional forwarding would come into play?

addition: Just wanted to add that our internal DNS does not using forwarding, and goes to the root hints.
Watch Question


Once you state that a server is authoritative for a domain, then no there is no need to recurse - it is authoritative, so no need to look any futher.  If the A record isn't present, then it doesn't exist (as far as the authoritative DNS server is concerned - even if exists elsewhere).

So yes, if you have an external DNS server and an internal DNS server hosting the same zone, you'll need to duplicate the entire zone, then change the IP addresses for any of those entries where they should be using the internal address.

Another way to do this is to have a zone per device that is to be accessed internally.

So lets say your domain is domain.com

Right now, on your internal dns server, you have a zone for domain.com, which means any A record www, ftp, mail whatever, would need to be defined whether it uses internal or external addressing.

But lets say the only server that needs internal addressing is mail.domain.com.  Instead of defining a zone for domain.com, you could define a zone called mail.domain.com with a single @ A record pointing to the internal IP address.

As the internal domain server would not be authoritative for domain.com, only mail.domain.com then requests for www.domain.com would follow the hints and get the address for the external name server.

Whether this saves you any time/admin overhead is dependent on how many servers you need to do this for.


That is exactly what im after.

I only need to create 2 internal records. I will do as you suggest and create zones for each device. for example mail.domain.com and ftp.domain.com

Thank you