DNS conditional forward query

We have 2 domains within our forest, Domain 1 and Domain2.  Both domains are part of a secure private network. Some of the hosts in Domain2 are public facing and and have both public/private IP addresses. eg host1.domain2.com has private address 172.30.100.17 and public address 89.89.89.89. Domain1 has a conditional forwarder to an internal DNS server within domain2; dns.domain2.com.
If there is a network problem between the 2 domains or dns.domain2.com is rebooted, clients in Domain1 are resolving address 89.89.89.89 for host1.domain2.com. This address is not valid on the private network (I can exlain this further if need be), clients can't connect to it and they also cache it for serveral hours.

Is there a way to prevent DNS requests for domain2.com being routed to the internet if dns.domain2.com is unavailable?

Thanks
John
RBG ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MichelangeloConsultantCommented:
Once the recursion timeout is expired on the primary server, it will try to contact the Root Hints thus providing a "public" answer.
Conditional forwarding usually uses two or more dns servers to avoid network connectivity issues an/or maintenance windows.

One possibility is defining the zone you are providing services for on a standalone server and setting up other servers as secondary of that zone but YMMV.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
I second that. The DNS system is designed to support Master/Slave  per zone's.
including fast updates even for dynamic zones.   Updates doesn't scale beyond a few thousand of names in short time.
0
DrDave242Commented:
Given the way round robin DNS works, I'll be very surprised if this only occurs when that link is down. If both host records are registered in the same zone, both records are going to get returned for every query for the corresponding name; only the order in which they're returned will differ. There may be some application-level caching going on that gets around this, though; I know some web browsers will cache DNS responses separately from the DNS resolver cache that's maintained by the OS, for example.

So, here's my question: do you need those public addresses registered in DNS at all? It seems like internal machines would always want to resolve those names to their corresponding internal addresses.
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

MichelangeloConsultantCommented:
OP does not mention round robin. He uses conditional forwarding to resolve internal Addresses.
0
DrDave242Commented:
True; I'm making a couple of assumptions. The OP mentions that there are a couple of domains involved, which I'm assuming are Active Directory domains. Because of that, I'm also assuming the DNS servers are running Windows, in which round robin is enabled by default and almost never disabled in my experience.
0
MichelangeloConsultantCommented:
Good point - I am convinced that no roun robin is there, though. He has a conditional forwarding for domain2 to  dns2 which answers with just the private ip, and no redundance for DNSes.
This kind of issues arise when using the same internaland external Domain Names. What do you think.
0
DrDave242Commented:
I'm hoping we'll get some more information from RBG IT.

You can control DNS responses based on the source of the query in Windows Server 2016 with DNS Policies, but they're a bit of a pain to configure (PowerShell only, of course) and aren't available in previous versions.
0
RBG ITAuthor Commented:
Thanks guys. We use 2 AD domains and everything is based on windows. The internal clients should always resolve an internal address but we do also need public dns for clients outside the private network.
I’m configuring a second internal dns server and will add this to the server list in conditional forwarders...

Thanks
John
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.