DNS Question

Looking for some insight on this from other members to see if I'm missing something.

My company currently has an internal and external domain of: abc.com. There is no internal only domain such as a .local.

Now the issue is this.

We have some clients that have site to site VPN with us for specific services. Anytime we have a new client, we have them create our abc.com zone in their dns servers then add records for our services that point them across the VPN.

This accomplishes what the goal was which was to have them use the VPN for those services, but now, we also have to have manually point other things like lync, exchange, etc to our public IP's. Plus if something changes on our side they have to manually edit the record, or if we add a new site or something they can't access it until they add the matching A record on their side. Not the best idea in my opinion as this is a very manual process.

I know we have a couple other options here. One being conditional forwarders, and the other being a stub zone. With conditional forwarders they can setup conditional forwarders only for the URL/ FQDN of the specific servers we want them to go across our VPN link for correct? That way say they have app.abc.com as a conditional forwarder going to our DNS server it will resolve to our internal IP and use the VPN, but if they go to mail.abc.com which they don't have a CF for, it should go out the public side correct?

The other option is also using a stub zone, but ideally, the C level's don't want these companies having a copy of our zone so I think stub zones are out, But at the same time, they don't really like the conditional forwarders, because those companies are now depending on and using our DNS servers for whatever we specified.

However, they also do not like the way we do it now as they feel it is to manual which I agree and is a system I inherited.

I feel like the only way to accomplish this would be to separate our services to a new DNS zone such as a ".local" and then use stub zones for that domain zone that way only services we want across the VPN are in that zone and everything is in our .com zone and not shared out via dns.

Anyone have any insight or a better idea?

So far it hasn't been terrible to manage as there are only 4 clients, but this will be growing.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What DNS server are you using? If you use BIND then you can use views to return IP addresses based on source IP address.

Please below links on how to use views:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris DentPowerShell DeveloperCommented:
> we have them create our abc.com zone in their dns servers then add records for our services that point
> them across the VPN

There's a common solution to this problem that's much less disruptive.

A DNS zone can be called absolutely anything, so rather than having them create abc.com and then individual records for each service: Create a zone for each service instead. That is, if you need them to access "intranet.abc.com" make a zone called "intranet.abc.com", add a Host (A) record with no name to the zone and the appropriate IP.

If you need the external party to resolve abc.com itself to a name this falls apart, but anything else can be created as a sub-domain.

As long as they don't also create a zone for abc.com any requests for other records in abc.com will go public as normal.

Other options include DNS doctoring (typically performed on firewalls), similar in method, just a different administration point.


Aaron TomoskyDirector of Solutions ConsultingCommented:
Agree with chris, I do exactly that in my setup. Another trick if you have a lot of clients to map, you can use public dns entries to internal ip addresses. They just won't work for anyone unless they have vpn access.
themightydudeAuthor Commented:
Thank you all for the extra insight there.

I forgot that we can do a zone for anything so I think that's what we're going to go with for now. A lot better than doing our entire domain.

Thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.