Solved

DNS resolution across domains

Posted on 2015-02-04
4
156 Views
Last Modified: 2015-04-08
I have 2 domains. PRODUCTION.COM is one domain and TEST.COM is another domain. There is a one way trust, allowing PRODUCTION.COM users to have access to TEST.COM. I have a particularly weird issue with DNS that I cannot explain. I have two DNS servers for each domain. The client machines on Test.COM use the TEST.COM DNS servers for DNS resolution. On the TEST.COM DNS server, I have forward lookup zones for both TEST.COM and PRODUCTION.COM. Each DNS Server in TEST.COM have forwarders configured to the PRODUCTION.COM DNS Servers. The DHCP server is sending OPTION 015 to each client machine with the value TEST.COM and nothing else. Users are reporting that at one point, users connected to client machines within TEST.COM, could resolve short names for hosts in PRODUCTION.COM. an example of this maybe SITE1 would automatically resolve to SITE1.PRODUCTION.COM. From my knowledge of DNS, I cannot figure out how the user was able to short hand resolve PRODUCTION.COM DNS names without a FQDN. The user's NIC and DNS settings are all default, they are not statically mapping the DNS suffixes in their NIC configuration. Apparenlty this functionality just stopped working but as far as I can tell the configuration does not support their claims that it used to resolve short hand DNS names.  What could potentially be enabled to allow the user to resolve these names via short hand? Obvious answers would be if option 15 was manipulated to push PRODUCTION.COM as the DNS server, the server was joined to PRODUCTION.COM instead of TEST.COM, or their NIC settings had a manual mapping to PRODUCTION.COM.
0
Comment
Question by:jbla9028
4 Comments
 
LVL 39

Expert Comment

by:footech
Comment Utility
Perhaps with NetBIOS broadcasts?  That would depend on your network topology though.

My question would be do you really want this to happen?  If someone wants to access a machine in another domain I say they should have to use the FQDN.

There could have been a CNAME entry in the TEST.COM zone that pointed to an entry in the PRODUCTION.COM zone.  You can configure multiple DNS suffixes to search with Group Policy.  You would not want to change DHCP Option 15.
0
 
LVL 1

Author Comment

by:jbla9028
Comment Utility
I agree that I do not want this. The test team is arguing that a change was recently made to prevent previous functionality. I am more curious as to what caused it to work in the first place. I thought it could a NetBIOS broadcast. I have some more info that was perplexing. If I have a client machine that belongs to PRODUCTION.COM but is in a VLAN that uses DHCP and option 015 for TEST.COM is propagated, + the DNS servers are pointing to the DNS servers for TEST.COM the client machine can actually resolve both PRODUCTION.COM and TEST.COM. I ran wireshark and the trace shows the client machine actually sent a request for SITE1.PRODUCTION.COM, even though I asked to resolve just SITE1.
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 250 total points
Comment Utility
If that client is a member of the PRODUCTION.COM domain, it's normal for it to use that domain name as its primary DNS suffix, so it will be one of its search suffixes. If you run ipconfig /all on the client and look near the top of the output, what's listed in the DNS Suffix Search List?
0
 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
Comment Utility
Could LLMNR resolution (Local Link Multicast Name Resolution) which machines can use when a DNS server is not available or unable to resolve a name. Otherwise do you have a WINS server around anywhere? The easiest thing to do would be to capture the DNS traffic and have a look in Wireshark as to how the request is being answered.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now