Solved

Set two DNS, Private and Public in clients to query from

Posted on 2013-01-09
6
611 Views
Last Modified: 2013-01-09
When I set local DNS on any NIC setting as primary DNS and try to resolve a public FQDN it simply doesn't find it unless I added to the private DNS even though I have a public DNS set up along with the private but as a secondary one.

Is there anyway to get public names that are not entered in the private DNS to resolve using the public DNS ?

for example, I have domain.local resolving to 192.168.1.240
and domain.public.com should resolve to something like xx.0.52.12
but public domain is not resolving!

My current DNS setting in the NIC are
192.168.1.170 < Local DNS server and primary
8.8.8.8 < Google DNS Server - secondary

thanks
0
Comment
Question by:Mohammed Hamada
  • 3
  • 2
6 Comments
 
LVL 16

Accepted Solution

by:
PaciB earned 500 total points
ID: 38758039
Hi,

First of all, if you add several DNS servers in IP settings on a client computer these DNS servers MUST contain exactly the same DNS zones.
NEVER add several DNS servers that have not the same content ! NEVER ! DNS protocol, and DNS client behavior is not built in that goal.

Typically, having a primary DNS server that resolves internal names and a secondary server that resolves external names can not work... It seems to work at the beginning but in fact it does not. If you add more than one DNS servers in your IP settings IT IS ONLY for high availability of DNS resolution, IT IS NOT to resolve more names !


Ok so, now to be able to resolve external names by interrogating only your internal DNS servers you only have to add "forwarders" on you internal DNS server.
"Forwarders" are used by the DNS server for any request that does not match any DNS zone hosted by the server. "Forwarders" should contain IP addresses of external DNS servers, and of course your internal DNS server must be able to reach external DNS servers. This may require to open DNS port on some firewalls.

As an example, let's say your internal DNS server hosts the DNS zone "myinternaldomain.com" for your AD domain. You want to be able to resolve any external name.
On your DNS server you add "forwarders" that point to external DNS servers.
On a client computer, you only interrogate your internal DNS server. From this client if you want to resolve an external name (let's say www.microsoft.com) the computer will only ask the internal DNS server.
The internal DNS server receives the request for "www.microsoft.com". It realizes that this is for DNS zone that in not hosted locally. The DNS server will then submit the request to the "forwarders" and wait for an answer.
When the answer comes, the internal DNS server takes it and gives it back to the client computer. The client computer NEVER has to interrrogate external DNS servers directly, and MUST NEVER HAVE TO.


Have a good day.
0
 
LVL 23

Author Comment

by:Mohammed Hamada
ID: 38758393
Thanks for the detailed explanation, Right now my DNS Server has internet access in order to resolve and forward external DNS queries to internal clients.

Is there anyway that the DNS will work without internet and still resolve and forward external DNS queries to internal clients.
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38758446
if you dont have the capability to reach an external DNS ....it can not resolve an external DNS request

so the last DNS becomes 'the end of the line'
authoritative DNS is saying i have these 'machines' in my view...under me
if the DNS is not authoritative it must forward the request to someone else who can answer the request

once it 'visits' an external site it can learn where to send requests

and if you have more space than you will ever need you could try to store all the DNS info from a public DNS server (not a good idea)
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 23

Author Comment

by:Mohammed Hamada
ID: 38758468
So in this case, Internet must be available in the DNS server for external DNS reach ?
0
 
LVL 23

Author Closing Comment

by:Mohammed Hamada
ID: 38758473
Thanks.
0
 
LVL 16

Expert Comment

by:PaciB
ID: 38758511
Hi again,

Not sure to really understand your last question... How the server could resolve external names without access to external DNS servers ?!?!! If this is your question the answer is NO, of course NO.

If your question is "how the internal DNS server can resolve SOME external names without access to external DNS servers" then the answer is yes it's possible. What you have to do is to create the DNS zone on your internal DNS server and create the requested record.
As an example, let's suppose I want my DNS internal server to be able to resolve one particular external DNS name (let's say www.mycompany.com should be resolved to 1.2.3.4).
I'll then create a new DNS zone named "www.mycompany.com" on my internal DNS server and in this zone I will create a new host (A) record with blank name and type the IP address 1.2.3.4.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question