We help IT Professionals succeed at work.

Using public DNS but need to access local domain???

jdff
jdff asked
on
I was wondering if there is a way to use public DNS settings on a workstation who is member of a local domain and still query the domain controller.

I'm looking to use OpenDNS filtering on a couple computers in our network, but the minute I change the DNS settings on the workstation to point to OpenDNS, I can not query the local domain controller anymore. Is there a way to use a public dns configuration for the internet traffic but still query the local DNS server for local traffic?
Comment
Watch Question

it_saigeDeveloper
Distinguished Expert 2019

Commented:
Short answer is no.  However, what you can do is subject the entire network to use OpenDNS by having the internal DNS server use the OpenDNS server as a forwarder.

-saige-
Just an idea ,I do not know if it will work. But have you tried setting Primary DNS server to OpenDNS while the secendary points to local server!?
DrDave242Principal Support Engineer

Commented:
Just an idea ,I do not know if it will work. But have you tried setting Primary DNS server to OpenDNS while the secendary points to local server!?
This won't work. An alternate DNS server is only queried if the preferred server doesn't respond, not if it responds negatively. In that scenario, as long as the OpenDNS server was reachable and continued to respond to queries, the local server would never be queried.

The OpenDNS servers are never going to have information about the machines within your domain. The approach mentioned by it_saige is the only feasible solution: configure all of your domain-joined machines to use only your internal DNS server, and use OpenDNS servers as forwarders.

Author

Commented:
DrDave and it_saige, if I do as you say, configuring the opendns dns servers under forwarders, my entire network will be filtered since all computers will have to go through opendns, this is what I'm trying to avoid, I'm trying to filter only a couple computers.
DrDave242Principal Support Engineer

Commented:
Ah. In that case, I'm afraid I can't think of a practical way to make it work.

If you're interested in an impractical way: Configure a second DNS server. Either put it on another DC and use AD-integrated zones or put it on something else and configure zone transfers to replicate the zones from the first DNS server. Configure forwarders on the new DNS server to use OpenDNS servers. Configure only the clients you wish to filter to use this new DNS server and no other. This way, only those clients' Internet queries will go through OpenDNS, and the other clients will keep working as they have.
it_saigeDeveloper
Distinguished Expert 2019

Commented:
Agreed with Dave.  You could accomplish what you want by adding another DNS server and specifying this server for only those clients you want to use OpenDNS.

-saige-
Top Expert 2014

Commented:
I agree with Dave too... you'd need a new DNS server which forwards to OpenDNS.  Point the filtered clients at the new DNS server... job done.

Author

Commented:
It looks doable, does any one knows if I can install a third party DNS server on my current windows domain controller DNS? My idea was to use the secondary NIC from the server for the second DNS server and then do a zone transfer with forwarders. Not sure if it possible, but would be a great solution.
Top Expert 2014

Commented:
I wouldn't.  You need active-directory integration, otherwise your clients won't be able to locate SRV records.  You'll just be back to square one then.

Author

Commented:
But DrDave said that I could do it either way, via ad-integration zone or zone transfer, which is what I'm asking. Can you clarify it?
Top Expert 2014

Commented:
Ah sorry, misunderstood...

Yes, you can do a secondary zone transfer to another instance of a DNS server running on the same machine.  Put the second IP on the same NIC as the existing IP though.  You'd need to transfer both the domain name zone and the _msdcs.domain zones.

Author

Commented:
Ok, so it can be done without the installation of another DNS server? If so, can you please describe the steps in order to achieve a resolution? Thank you.

Author

Commented:
No ideas?
Top Expert 2014
Commented:
Configure a secondary IP on the NIC on the server.
Configure the two forward-lookup zones to allow zone-transfers to the secondary IP address.
Install a second instance of a DNS server on the existing AD-DNS server.
Configure the bindings of each DNS server to use their own specific IP addresses.
Configure each DNS zone as a secondary zone on the new DNS instance.
Configure the secondary DNS instance to forward to OpenDNS.
Point the filtered clients to the secondary IP for DNS.
DrDave242Principal Support Engineer

Commented:
I believe this will work. Microsoft cautions against multihoming a DC (using more than one NIC) in general, but since both NICs will be bound to separate DNS services that contain the same records and both will be reachable on the local subnet, I don't see a problem. You'll want to do some testing of this configuration, of course, but I can't think of a reason why it wouldn't work.
Top Expert 2014
Commented:
Just put both IPs on the same NIC.

Author

Commented:
Craig, how can you install a second instance of DNS server on the domain controller? I've never seen that, please explain.
Top Expert 2014

Commented:
You said it yourself... Install a 3rd party DNS server app.

Author

Commented:
I haven't found one, do you know of anyone?
Top Expert 2014
Commented:
Try Simple DNS Plus

Author

Commented:
I'm sorry I was away. I will try this week and post my findings here.

Thanks
jdff