Add Internal DNS record for public sub-domain

Greetings,

I have an MPLS connection to a vendor Lucent 7 (name is fictitious).

We route traffic for login.lucent7.com through the MPLS

Public IP for login.lucent7.com is 65.65.65.2. (Fictitious)
We run Windows DNS services (2012 R2).

Currently, workstations resolve the sub-domain login.lucent7.com (65.65.65.2) via public records – we do not have a zone for lucent7.com.  Once resolved, we route the request for 65.65.65.2 out the MPLS instead of the public Internet.

Task:  Add a DNS entry for login.lucent7.com into our internal DNS servers for workstation lookup.

Question: How is this accomplished without altering lookups for other lucent7.com sub-domains? Domains like www.lucent7.com or help.lucent7.com must continue to traverse the public Internet and workstations should find the correct DNS record via the normal lookup process (forwarding servers) and not on our internal DNS servers.
Robert AdvancedideaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
We just add a forward lookup zone for login.lucent7.com

IF we add a forward lookup zone for lucent7.com you will have the issue you are describing about other domain names.
0
Robert AdvancedideaAuthor Commented:
Thank you.

For the A record, do I then leave the "Name (use parent domain if blank)" empty?
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
No within that just create an A record that points to the IP you want it too.
Do a DNS update on a client then you should see that change reflected.

This is actually a really safe way to do it, adding the sub domain as a forward lookup zone.
Permanently I would probably want them to have a zone with correct configuration then list the sub within this zone
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Robert AdvancedideaAuthor Commented:
Thank you. I will create the forward lookup zone: login.lucent7.com and subsequent A record pointing to 65.65.65.2 and award points when successful.

Many Thanks.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
No Problem anytime perhaps keep me in mind for a live consult ;) and if you have any ransomware issues.
Good luck
0
arnoldCommented:
I am unclear what you are after, what it is you want to happen.

You can add the domain login.lucent7.com and point it where you need without altering the handling of lucent7.com or other sub-domains.
Note once added, you would need to maintain/update the record as needed, or your internal users will experience issues.

Often, the reason to add an internal DNS record is to achieve the opposite of your situation.
I.e. Having an MPLS link, the traffic leaves via the public interface, to have it go through the MPLS.

In your case, unless the lucent7 provider has another ip for login.lucent7.com that is not part of the network they advertise via the MPLS, there are no changes available to you to route internal traffic for login.lucent7.com by any other means.

A proxy that is not privy meaning connected to a router that does not have info, path to the MPLS is your only possibility to divert all traffic through the public internet feed link.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
He is looking for an internal DNS redirect for a sub domain without affecting DNS queries going to other top level or sub domains.
0
arnoldCommented:
I understood that part, but the question I have is to what end?
In the description of the issue, adding an internal DNS entry to control login.lucent7.com in no way alters the flow of TCP/ip traffic that is currently flowing via the MPLS link and not via the public internet feed.

The asker needs to clarify what the end result they are trying to achieve.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Fair point, I just took the DNS element of it. As is a DNS question. I think the problem he is having is it is not resolving correctly when forwarded to AD.

You can also modify the routing with changes to your network setup too on top of that DNS change.
0
Robert AdvancedideaAuthor Commented:
Greetings,

Why? I suspect they want to speed up DNS lookup requests for their application, by making our internal DNS servers authoritative for this one sub-domain. Or, perhaps they want some metrics our internal servers can provide them, whereas the public DNS cannot. Unfortunately, I am not involved in those discussions, I only do what my superiors ask.

I am not trying to route actual traffic any differently (routing is working), I am only trying add the entry into our DNS servers.

Many Thanks.
0
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Why? I suspect they want to speed up DNS lookup requests for their application - nail on the head right there
5 second delay at least in a forward on from AD DNS

Good luck
0
arnoldCommented:
yes, by adding the new AD integrated zone of login.lucent7.com
with
@ IN A 65.65.65.2

internal access to the application will iniitate faster than currently, it will still flow through the MPLS based on the Routing table on the router..

the other, is to remove the forwarders and actually have your AD DNS function as a caching server which means with will ask for the record of login.lucent7.com one ina period set forth in the TTL for the record
nslookup -debug login.lucent7.com
it will tell you how long the record is valid for before the next time your DNS server has to go out and get the information.

When forwarding, which was useful long ago, is no longer (the bandwidth cost of performing your own lookups are insignificant)

Conditional forwarders need to be used for select domains, under special circumstances.
0
Robert AdvancedideaAuthor Commented:
Many thanks gentlemen.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.