Split DNS Not Working

I have been forced to create a split DNS config as my edge router does not support NAT reflection.  However I cannot get the split DNS working correctly for client workstations.

internal domain mydomain.local
external domain mydomain.com

host mail.mydomain.com resolves externally and is port forwarded to mail.mydomain.local

internal clients need mail.mydomain.com to resolve to private IP of mail.mydomain.local

DHCP is setup to configure clients with only local DNS servers

on internal DNS(s) I have created forward lookup zone for mydomain.com and added A record for mail.mydomain.com with private IP
(I have also tried creating zone for mail.mydomain.com and creating blank A record with private IP of local host)

Internal DNS are configured to forward unresolved to google DNS

In both cases if I ping mail.mydomain.com from the DNS server it correctly resolves to the private IP address, if I ping from an workstation it resolves to public IP address rather than the private IP Address.

Yes - I have cleared cache on WS with ipconfig /flushdns, I have even cleared the DNS server chache

an nslookup of mail.mydomain.com on a WS returns the public IP as a nonauth response from the local DNS Server

This problem is plauging me at multiple sites, there must be something I am missing.

Help greatly appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It sounds like you have everything configured correctly.  I would re-verify that caches are cleared as that would be the most likely explanation.  How did you clear the cache on the DNS server?
With a zone for mydomain.com (and assuming you haven't created a "www" record in it), then if you query for www.mydomain.com from an internal machine it should result in a NXDOMAIN (record not found).  Further assuming that you DO have a record for www.mydomain.com in your public DNS, if the previous sentence isn't true, then something is wrong with your DNS server and you should look at event logs, etc.

Beyond that I would look at network captures of DNS traffic (both at a workstation and DNS server) while performing a ping or nslookup to examine the traffic.
BMardenAuthor Commented:
I cleared the cache on the server by right clicking the "Cache" zone folder and selecting clear cache.

actually the www.mydomain.com does resolve correctly as the zone I created on the local DNS is for mail.mydomain.com with a blank A record pointing to the correct private IP.  This is a trick I ran accross in another post to create the zone for the host rather than the TLD.

As I mentioned everything works perfectly from the DNS server itself, but local WS still resolving to public IP.  Could it be that since the local DNS server is non-authoratitive its checking the forwarder?

I recent also checked security on the Zone and made sure AuthUsers and SELF had read access to the zone (they previously did not) but this does not seem to have made any difference

I tried logging into the DNS server with user cred to see if it was a perms issue, but non admin user account on DNS server also resolves as expected.

Yes, creating the zone with a blank record is a good trick when you just need to intercept queries for a single name.

Since the zone is on the server it should consider itself authoritative, and thus should not forward on any queries for that name.  I don't see how the server could resolve the name correctly for itself, but workstations using it aren't.  

The only explanation I can think of for a workstation resolving differently than the server, is that a piece of information has been missed, like:
- the workstation isn't using the server
- a suffix has been appended

This is why I would gather network captures and make sure traffic is flowing as you think.  Use nslookup and append a dot to the end of the FQDN to make sure no suffixes are being added automatically.  And again, look at event logs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BMardenAuthor Commented:
I have reverified local DNS is only DNS server in ipconfig /all

Tried appending . to end of FQDN, no change

DNS suffix is mydomain.local

Checked event logs, nothing of note

I appreciate the help.

I do not have immediate facility for packet capture, but I may get desperate enough...

thx all
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.