JDNow77
asked on
Register a client with one set of AD DNS servers but use a different DNS server for queries
Not sure if this is possible. I want to register a client OS IP address with our Active Directory DNS servers, but I want to limit what DNS records the client can access. Internally the client would need to be able to access the needed DNS records to correctly logon / authenticate. Be able to find the exchange server, intranet server, and a SIP server, but find nothing else. Externally they would only be able to resolve a certain set of internet address.
My thought was to register the client to the regular AD DNS servers but then send their lookup request to a separate DNS server with the minimal record sets. But there appears no easy way to do this in Windows IP configuration (All clients are Windows 7)
Is there a better way to set this up? I only need to do this for a handful of clients who are already sectioned off in their own VLAN. I could do IP ACL (which is being done already to certain extent) but because of the nature of some internet resources its easier to control access by DNS.
My thought was to register the client to the regular AD DNS servers but then send their lookup request to a separate DNS server with the minimal record sets. But there appears no easy way to do this in Windows IP configuration (All clients are Windows 7)
Is there a better way to set this up? I only need to do this for a handful of clients who are already sectioned off in their own VLAN. I could do IP ACL (which is being done already to certain extent) but because of the nature of some internet resources its easier to control access by DNS.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to tric either other DNS server to use AD controller as forwaredr for AD zone, or vice versa.
The only way I can think to make this happen involves a lot of manual configuration. You'll have to set up your "limited" DNS servers and configure the clients to use only those servers for DNS. Next, manually add whatever records to those servers that you want the clients to be able to resolve (you can't just set up zone transfers from the "regular" DNS servers, since that'll replicate all records in the specified zones). Of course, you'll have to manually update those records whenever anything changes. Then, if you want those clients to be registered on the "regular" DNS servers, you'll have to manually add host records for them. This, of course, will require you to use static IP addresses or DHCP reservations on those clients, so their addresses won't change.
In short, it can be done, but it sounds like a nightmare.
In short, it can be done, but it sounds like a nightmare.
ASKER
Would something like the DNS Unbound caching server - https://www.unbound.net/ be able to handle forwarding DNS registration to the AD servers while sending external queries to another DNS server?
ISC BIND and derived AD DNS server too.
You've sortof moved the goal post there. If you only want to send external lookups to a different server, conditional forwarding could solve that. Or a stub zone. Or a DNS server in a DMZ (BIND, unbound, whatever.) But your original question wanted to not just decide which server to perform a lookup, but to hide most infernal records while still allowing registration. That's a much more complex process, as the evaluation can't be done on domain name, but must be done *per record* and all those pesky SRV records that allow ADDS to work would have fo be allowed.
So can unbound do what you suggested in your comment? Yes. But So can many other setups. Does it easily meet your original stated goal? No. I don't see view support. So a product like BIND with views, or server 2016 with DNS policies would be required. And a *lot* of work to allow the "right" records.
So can unbound do what you suggested in your comment? Yes. But So can many other setups. Does it easily meet your original stated goal? No. I don't see view support. So a product like BIND with views, or server 2016 with DNS policies would be required. And a *lot* of work to allow the "right" records.
ASKER
I guess what I'm trying to ask, can unbound or something like it handle forwarding the DNS registration to the AD servers and the needed SRV lookups while ignoring the other record lookup for the domain. While it would not be the cleanest of jobs, I could get by with using the host file for few required lookup that are for the allowed domain resources.
No. That is still a per-record decision, and there is no easy solution for that.