Solved

How do I set up DNS delegation properly?

Posted on 2010-09-22
16
930 Views
Last Modified: 2012-05-10
We're having a problem because our internal domain is (regrettably) the same as the external domain.  So we have a *subdomain*.*domain*.com that we're trying to access, but because there isn't a record for it internally, we can't access it.

How can I resolve this?  I thought perhaps DNS delegation would solve the problem, but in attempting to set it up I haven't gotten any further ahead.
0
Comment
Question by:SunRype
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 8

Expert Comment

by:ragnarok89
ID: 33738805
I believe you need to configure DNS forwarders. That way, when your DNS server can't resolve an outside url, for forwards the request to the forwarders you specified, usually your ISP's DNS.
0
 

Author Comment

by:SunRype
ID: 33738855
Like a conditional forwarder you mean?
0
 
LVL 2

Expert Comment

by:jon47
ID: 33738857
you only need to delegate the subdomain if the dns server for the subdomain is different to the dns server for the domain.  since you're talking about about delegation, I'll assume that this really is the case.

You need to add NS (and possibly some A) records to your domain.com DNS server.  

This example is lifted from http://technet.microsoft.com/en-us/library/cc739719(WS.10).aspx

For example, let's assume
- your top level domain is fabrikam.com
- your internal domain is fabricorp.fabrikam.com
- your internal DNS server is SEA-FAB-DC01.fabricorp.fabrikam.com at IP 172.16.16.2

for this example you'd need to add to fabrikam.com's DNS server:

fabricorp IN NS SEA-FAB-DC01.fabricorp.fabrikam.com
SEA-FAB-DC01.fabricorp.fabrikam.com IN A 172.16.16.2

and setup SEA-FAB-DC01 so that it's the DNS server (and probably domain controller too, since I'm guessing you're on windows 'cos this query was tagged active directory) for fabricorp.fabrikam.com
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 5

Expert Comment

by:mooodiecr
ID: 33738863
I am not sure I understand the problem.  Are the computers in the domain.com having problems accessing subdomain.domain.com or the other way around.  

Even if the domain names are the same (internal and external), the local DNS server that the clients are using should be integrated with AD and have the private IP addresses available to these clients.  If not, then the DNS server may need to be changed on DHCP or the client machines.  Also, the DNS server that is responding publicly should have the public IPs available and working.  Is there a particular service or application that is failing or does all communication cease?

0
 

Author Comment

by:SunRype
ID: 33738868
I am in Windows.  I only have the one DNS server though... The website is hosted externally and the DNS servers I want to use are the ISP's...
0
 

Author Comment

by:SunRype
ID: 33738900
Okay, our PCs here cannot access flim.flam.com, because flam.com is our internal domain, and also the domain of our external website.  We have a "www" CNAME record internally so that we can access www.flam.com, but we also need to access flim.flam.com and I'm not sure how to set that up.
0
 
LVL 2

Expert Comment

by:jon47
ID: 33738936
Sound like you need to add the NS and A records to your ISP's DNS configuration in your domain.  If they let you, some don't. to keep with my example...

So fabrikam.com should be served by your ISP.

your internal servers should call themselves fabricorp.fabrikam.com.

This should just work, provided that you don't try and make *any* internal server serve DNS for fabrikam.com.  If you do, then you'll end up losing access to your external sites.  However if you want you can run different and inconsistent DNS servers for fabrikam.com internally and externally.  You'll just have to add A records for the external systems to your internal DNS (by hand) and then it should work.
0
 
LVL 2

Expert Comment

by:jon47
ID: 33738939
so is there an entire domain flim.flam.com, or is it just a host?
0
 

Author Comment

by:SunRype
ID: 33738954
flim.flam.com is a subdomain of flam.com, which is hosted externally.  It also happens to (by someone else's poor choice) be our internal domain as well.  We have lots of stuff internally that is using *something*.sunrype.com, so we can't have all that DNS externally hosted.

Basically I want, internally, for everything to query our internal DNS server, except I guess for flim.flam.com.  Or at least for our internal DNS server to say "I dunno where flim.flam.com is, go ask *ISP's DNS server*" which isn't currently happening.  Nslookup on flim.flam.com just times out currently.
0
 
LVL 2

Expert Comment

by:jon47
ID: 33739019
Ah.  Then you need to setup the NS records on your *internal* server to delegate to your external server.

For the sake of argument, let's assume that your ISP hosts your flim.flam.com DNS at a couple of servers, called ns1.isp.com, ns2.isp.com  (you need to find out what the DNS servers are called - more the better)

thenon your internal DNS server, add

flim.flam.com IN NS ns1.isp.com
flim.flam.com IN NS ns2.isp.com

you won't need the A records because ns1.isp.com etc should resolve through DNS at isp.com.
you *will* still need to add any records for *host*.flam.com, and maintain these by hand.

0
 

Author Comment

by:SunRype
ID: 33739049
Sorry, what type of records are those?
0
 
LVL 2

Expert Comment

by:jon47
ID: 33739068
actually, let's make it a little easier - assuming that blacksun.ca hosts your subdomain too, you would add these two records to your internal DNS:

flim.sunrype.com IN NS ns1.blacksun.ca.
flim.sunrype.com IN NS ns2.blacksun.ca.

I made a mistake earlier - don't miss out the dot on the end of the isp server name!

I derived this using dig, which digs into DNS servers and is part of the BIND distribution (http://www.isc.org/software/bind) - it runs on windows too.  It's invaluable for working out what's broken (and what works) in DNS.


; <<>> DiG 9.7.0-P1 <<>> NS sunrype.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65526
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sunrype.com.                   IN      NS

;; ANSWER SECTION:
sunrype.com.            890     IN      NS      ns1.blacksun.ca.
sunrype.com.            890     IN      NS      ns2.blacksun.ca.
0
 
LVL 2

Expert Comment

by:jon47
ID: 33739086
> what type of records are those?

they're NS records... but, erm, that's not very helpful ;-)  if you can tell me what version of windows you're using, I can probably point you a little closer to where you put this.
0
 

Author Comment

by:SunRype
ID: 33739104
It's Server 2003.
0
 
LVL 2

Accepted Solution

by:
jon47 earned 500 total points
ID: 33739196
I don't have server 2003 to hand, but it looks like you need to create what it calls a "delegation".  The domain you're delegating will be flim (the fully qualified name should come out as flim.sunrype.com) and the server you're delegating to will be ns1.blacksun.ca

There's a video of someone creating a delegation here: http://www.youtube.com/watch?v=QQ5FSOU2caI 

It's a while since I played with server 2003, it may be possible to use the "other new records" menu item to create the NS records by hand.  If so, that might work better.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33741848

You were right with New Delegation, it's not hidden under other records :)

Chris
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question