Looking for some insight on this from other members to see if I'm missing something.
My company currently has an internal and external domain of: abc.com. There is no internal only domain such as a .local.
Now the issue is this.
We have some clients that have site to site VPN with us for specific services. Anytime we have a new client, we have them create our abc.com zone in their dns servers then add records for our services that point them across the VPN.
This accomplishes what the goal was which was to have them use the VPN for those services, but now, we also have to have manually point other things like lync, exchange, etc to our public IP's. Plus if something changes on our side they have to manually edit the record, or if we add a new site or something they can't access it until they add the matching A record on their side. Not the best idea in my opinion as this is a very manual process.
I know we have a couple other options here. One being conditional forwarders, and the other being a stub zone. With conditional forwarders they can setup conditional forwarders only for the URL/ FQDN of the specific servers we want them to go across our VPN link for correct? That way say they have app.abc.com as a conditional forwarder going to our DNS server it will resolve to our internal IP and use the VPN, but if they go to mail.abc.com which they don't have a CF for, it should go out the public side correct?
The other option is also using a stub zone, but ideally, the C level's don't want these companies having a copy of our zone so I think stub zones are out, But at the same time, they don't really like the conditional forwarders, because those companies are now depending on and using our DNS servers for whatever we specified.
However, they also do not like the way we do it now as they feel it is to manual which I agree and is a system I inherited.
I feel like the only way to accomplish this would be to separate our services to a new DNS zone such as a ".local" and then use stub zones for that domain zone that way only services we want across the VPN are in that zone and everything is in our .com zone and not shared out via dns.
Anyone have any insight or a better idea?
So far it hasn't been terrible to manage as there are only 4 clients, but this will be growing.