Link to home
Start Free TrialLog in
Avatar of RBG IT
RBG ITFlag for United Kingdom of Great Britain and Northern Ireland

asked on

DNS conditional forward query

We have 2 domains within our forest, Domain 1 and Domain2.  Both domains are part of a secure private network. Some of the hosts in Domain2 are public facing and and have both public/private IP addresses. eg host1.domain2.com has private address 172.30.100.17 and public address 89.89.89.89. Domain1 has a conditional forwarder to an internal DNS server within domain2; dns.domain2.com.
If there is a network problem between the 2 domains or dns.domain2.com is rebooted, clients in Domain1 are resolving address 89.89.89.89 for host1.domain2.com. This address is not valid on the private network (I can exlain this further if need be), clients can't connect to it and they also cache it for serveral hours.

Is there a way to prevent DNS requests for domain2.com being routed to the internet if dns.domain2.com is unavailable?

Thanks
John
ASKER CERTIFIED SOLUTION
Avatar of Michelangelo
Michelangelo
Flag of Italy image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of noci
noci
I second that. The DNS system is designed to support Master/Slave  per zone's.
including fast updates even for dynamic zones.   Updates doesn't scale beyond a few thousand of names in short time.
Avatar of DrDave242
DrDave242
Flag of United States of America image
Given the way round robin DNS works, I'll be very surprised if this only occurs when that link is down. If both host records are registered in the same zone, both records are going to get returned for every query for the corresponding name; only the order in which they're returned will differ. There may be some application-level caching going on that gets around this, though; I know some web browsers will cache DNS responses separately from the DNS resolver cache that's maintained by the OS, for example.

So, here's my question: do you need those public addresses registered in DNS at all? It seems like internal machines would always want to resolve those names to their corresponding internal addresses.
Avatar of Michelangelo
Michelangelo
Flag of Italy image
OP does not mention round robin. He uses conditional forwarding to resolve internal Addresses.
Avatar of DrDave242
DrDave242
Flag of United States of America image
True; I'm making a couple of assumptions. The OP mentions that there are a couple of domains involved, which I'm assuming are Active Directory domains. Because of that, I'm also assuming the DNS servers are running Windows, in which round robin is enabled by default and almost never disabled in my experience.
Avatar of Michelangelo
Michelangelo
Flag of Italy image
Good point - I am convinced that no roun robin is there, though. He has a conditional forwarding for domain2 to  dns2 which answers with just the private ip, and no redundance for DNSes.
This kind of issues arise when using the same internaland external Domain Names. What do you think.
Avatar of DrDave242
DrDave242
Flag of United States of America image
I'm hoping we'll get some more information from RBG IT.

You can control DNS responses based on the source of the query in Windows Server 2016 with DNS Policies, but they're a bit of a pain to configure (PowerShell only, of course) and aren't available in previous versions.
Avatar of RBG IT
RBG IT
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Thanks guys. We use 2 AD domains and everything is based on windows. The internal clients should always resolve an internal address but we do also need public dns for clients outside the private network.
I’m configuring a second internal dns server and will add this to the server list in conditional forwarders...

Thanks
John