• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 343
  • Last Modified:

Server 2008 DNS - Dual Instances?

I have a client that without going into all the details of WHY they would like this, here's what we are trying to accomplish.

We have 6 branch offices connected back to one main office.  All computers/Offices are using Active Directory servers back at the main office.

There are two AD servers that also host their DNS.  What this customer would like to accomplish is the following.

If the main office makes a DNS request not in their local DNS zone, forward it out to ISP DNS servers.
If any branch server makes a DNS request not in their local DNS zone, forward it out to OpenDNS Servers.

Goal:  not to add any more physical Servers (not a VM shop yet) and keep both servers available to the local office.

We cant have all forwarders point to either location, they'd like to split them based on source network.

Right now, I've done a lot of reading on this and it doesn't seem possible to accomplish what they would like to do with a Windows DNS server, but I wanted to toss it out to EE and see if someone has some trickery up their sleeve.

If we cannot find a solution this way, I am thinking that we will recommend they bring up a third DNS server and point the branch offices to that and have it forward to OpenDNS and leave the two main servers at the main office pointing to the ISP DNS.

Thanks for your time.

3 Solutions
Chris DentPowerShell DeveloperCommented:
I'm afraid you're right. It's not possible using MS DNS.

Chris DentPowerShell DeveloperCommented:
In fact, come to think of it, I think even BIND cannot do this. And even if it could, you'd have horrible difficulty separating the cache. I think you'd have to make another DNS server no matter what you look at using.

One possible workaround is to use static/custom HOSTS files on the branch workstations. I have had to do this kind of workaround for various reasons/requirements in the past. Basically you can roll out local HOSTS files to all your branch workstations that contain the DNS/IP info for local net resources. Then you can have the DHCP scope give out the OpenDNS server to the branches. Or if they are static you can just simply put in the OpenDNS server information. Now this will create a lot more administrative overhead (obviously) then automating it using another MS DNS box. However, this will allow you to achieve your goal without having to add anymore servers. If you have a lot of workstations at the various branches you can always use a batch file /script to implement the HOSTS file process.

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Leon FesterSenior Solutions ArchitectCommented:
For both sites, if the DNS entry does not exist in local DNS then forward request to outside DNS.
I cannot understand why can't they use the same external DNS servers?

P.S. You don't need to be running a DC to enable the DNS Server role.
Are there any other servers currently available that you could configure as a DNS server to the Branch offices?

You can then setup as required, with forwarders to the OpenDNS Servers.
You cannot setup this server as AD-integrated, but you can easily setup a stub zone for referencing the intergrated servers.
Chris DentPowerShell DeveloperCommented:
> I cannot understand why can't they use the same external DNS servers?

Probably because OpenDNS does filtering (if you want it).

maxtexgrAuthor Commented:
> Probably because OpenDNS does filtering (if you want it).

Chris, you're correct.  They have an on site content filter at their main office and want to use the content filtering for the remote offices.  Since all DNS forwarding requests are coming from the main office DNS servers, it filters everything.  They'd like to have different rules for the main and branch offices.

Thanks for the replies guys, I am going to recommend bringing up  third DNS server to do what they want (thanks for the stub-zone comment dvt, I'll have to look into that).
Chris DentPowerShell DeveloperCommented:
I'd go with Secondary rather than Stub, less DNS traffic between sites. The only change I'd make is to up the Expire interval in the SOA record to something reasonable (like a month).

maxtexgrAuthor Commented:
I did some research based on the comments and will be going with a Secondary Zone recommendation on another Server (that they already have in production).

I will be getting with the customer and discussing it today, thanks for the info everyone.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now