BMarden
asked on
Split DNS Not Working
I have been forced to create a split DNS config as my edge router does not support NAT reflection. However I cannot get the split DNS working correctly for client workstations.
internal domain mydomain.local
external domain mydomain.com
host mail.mydomain.com resolves externally and is port forwarded to mail.mydomain.local
internal clients need mail.mydomain.com to resolve to private IP of mail.mydomain.local
DHCP is setup to configure clients with only local DNS servers
on internal DNS(s) I have created forward lookup zone for mydomain.com and added A record for mail.mydomain.com with private IP
(I have also tried creating zone for mail.mydomain.com and creating blank A record with private IP of local host)
Internal DNS are configured to forward unresolved to google DNS
In both cases if I ping mail.mydomain.com from the DNS server it correctly resolves to the private IP address, if I ping from an workstation it resolves to public IP address rather than the private IP Address.
Yes - I have cleared cache on WS with ipconfig /flushdns, I have even cleared the DNS server chache
an nslookup of mail.mydomain.com on a WS returns the public IP as a nonauth response from the local DNS Server
This problem is plauging me at multiple sites, there must be something I am missing.
Help greatly appreciated.
TIA
internal domain mydomain.local
external domain mydomain.com
host mail.mydomain.com resolves externally and is port forwarded to mail.mydomain.local
internal clients need mail.mydomain.com to resolve to private IP of mail.mydomain.local
DHCP is setup to configure clients with only local DNS servers
on internal DNS(s) I have created forward lookup zone for mydomain.com and added A record for mail.mydomain.com with private IP
(I have also tried creating zone for mail.mydomain.com and creating blank A record with private IP of local host)
Internal DNS are configured to forward unresolved to google DNS
In both cases if I ping mail.mydomain.com from the DNS server it correctly resolves to the private IP address, if I ping from an workstation it resolves to public IP address rather than the private IP Address.
Yes - I have cleared cache on WS with ipconfig /flushdns, I have even cleared the DNS server chache
an nslookup of mail.mydomain.com on a WS returns the public IP as a nonauth response from the local DNS Server
This problem is plauging me at multiple sites, there must be something I am missing.
Help greatly appreciated.
TIA
ASKER
I cleared the cache on the server by right clicking the "Cache" zone folder and selecting clear cache.
actually the www.mydomain.com does resolve correctly as the zone I created on the local DNS is for mail.mydomain.com with a blank A record pointing to the correct private IP. This is a trick I ran accross in another post to create the zone for the host rather than the TLD.
As I mentioned everything works perfectly from the DNS server itself, but local WS still resolving to public IP. Could it be that since the local DNS server is non-authoratitive its checking the forwarder?
I recent also checked security on the Zone and made sure AuthUsers and SELF had read access to the zone (they previously did not) but this does not seem to have made any difference
I tried logging into the DNS server with user cred to see if it was a perms issue, but non admin user account on DNS server also resolves as expected.
Thx
actually the www.mydomain.com does resolve correctly as the zone I created on the local DNS is for mail.mydomain.com with a blank A record pointing to the correct private IP. This is a trick I ran accross in another post to create the zone for the host rather than the TLD.
As I mentioned everything works perfectly from the DNS server itself, but local WS still resolving to public IP. Could it be that since the local DNS server is non-authoratitive its checking the forwarder?
I recent also checked security on the Zone and made sure AuthUsers and SELF had read access to the zone (they previously did not) but this does not seem to have made any difference
I tried logging into the DNS server with user cred to see if it was a perms issue, but non admin user account on DNS server also resolves as expected.
Thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have reverified local DNS is only DNS server in ipconfig /all
Tried appending . to end of FQDN, no change
DNS suffix is mydomain.local
Checked event logs, nothing of note
I appreciate the help.
I do not have immediate facility for packet capture, but I may get desperate enough...
thx all
Tried appending . to end of FQDN, no change
DNS suffix is mydomain.local
Checked event logs, nothing of note
I appreciate the help.
I do not have immediate facility for packet capture, but I may get desperate enough...
thx all
With a zone for mydomain.com (and assuming you haven't created a "www" record in it), then if you query for www.mydomain.com from an internal machine it should result in a NXDOMAIN (record not found). Further assuming that you DO have a record for www.mydomain.com in your public DNS, if the previous sentence isn't true, then something is wrong with your DNS server and you should look at event logs, etc.
Beyond that I would look at network captures of DNS traffic (both at a workstation and DNS server) while performing a ping or nslookup to examine the traffic.