Pointing internal DNS Server at External Server


We are in the process of helping two companies join together, and part of the issue is the new owner wants all internet traffic to run through their data center. The problem is that they block all port 53 requests (DNS) and therefore we must point our requests at their DNS Server.

On our meraki firewall i have set the DNS Server to be theirs, but it seems that SBS is still referencing DNS Externally. Can i place an entry in the DNS Server in SBS2011 to force all requests to be made from the parent companies DNS server?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You will want to configure DNS forwarders on your SBS server so you don't break active directory. Local clients joined to the SBS domain should still use SBS for DNS, including clients that may now be getting improper settings from your Meraki setup.

hi Josh

the way I see the question is that they want all traffic to route through their Datacenter = same gateway address. you could then keep your DNS records, Sub domain/sub DNS.

So the new "HQ" is DNS Domain master and the Branch office Sub domain. Route through the HQ.

David Johnson, CD, MVPOwnerCommented:
The problem is that they block all port 53 requests (DNS) and therefore we must point our requests at their DNS Server.  Is port 53 dns open to you or is it blocked from everyone? If they don't block your site for incoming requests then simply forward requests to them and disable root hints in your dns. This will resolve the DNS issue but your going to have mail issues and other issues without them doing a lot of work and you changing your spf and mx records.

You have a Site2Site VPN in place?
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

joshhoughAuthor Commented:
There are a couple of problems here... Firstly the data held in the UK is secure, so we have to keep a firewall between us and them (in Germany). So the network is currently:

Cisco 1921 (provided by parent company) with MPLS Network. Then our Meraki Firewall is plugged into the 1921 with static IP and the DNS for the meraki set to their DNS server in germany as requested. They block any outbound port 53 requests unless it has come from their DNS Server so regardless of whether we open port 53 or not it doesn't work sadly.

DHCP is disabled on the meraki and we then run SBS2011 on-prem here.

Hope that helps?

In summary or simply, i want to point all clients at their DNS Server for DNS1 and 2 but i know that breaks AD so i guess this needs to be done from DNS on the SBS. So DNS Resolves from the SBS and SBS resolves from germany's DNS server in turn.
David Johnson, CD, MVPOwnerCommented:
your use of SBS brings in a problem as it is a stand-alone item cannot be joined or use trusts. They say they want all traffic to go through them but for your business to function you require dns resolution so they have to open up dns for at least your public ip address to go to their dns as you are 'required' by them to forward all traffic to them.  They can't have their cake and eat it as well.
joshhoughAuthor Commented:
Hi, Thanks for your response.

So from what i can understand there is no way we can tell SBS to resolve DNS from the dns server we point it at (IP address, No AD Linking)?

With that in mind, at present where does SBS resolve DNS from?
Cliff GaliherCommented:
Yes, you can, and the article I linked to tells you how. By default, SBS uses root hints. But forwarders override this default.

David, he is saying that *outbound* is blocked unless it comes from their DNS servers. Inbound requests (from clients, other servers, etch) should still be fine. So as long as SBS uses their servers as forwarders, the outbound request will ultimately recursivelh come from there and all will work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.