DNS conditional forward query

RBG IT
RBG IT used Ask the Experts™
on
We have 2 domains within our forest, Domain 1 and Domain2.  Both domains are part of a secure private network. Some of the hosts in Domain2 are public facing and and have both public/private IP addresses. eg host1.domain2.com has private address 172.30.100.17 and public address 89.89.89.89. Domain1 has a conditional forwarder to an internal DNS server within domain2; dns.domain2.com.
If there is a network problem between the 2 domains or dns.domain2.com is rebooted, clients in Domain1 are resolving address 89.89.89.89 for host1.domain2.com. This address is not valid on the private network (I can exlain this further if need be), clients can't connect to it and they also cache it for serveral hours.

Is there a way to prevent DNS requests for domain2.com being routed to the internet if dns.domain2.com is unavailable?

Thanks
John
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
System Administrator / Postmaster
Commented:
Once the recursion timeout is expired on the primary server, it will try to contact the Root Hints thus providing a "public" answer.
Conditional forwarding usually uses two or more dns servers to avoid network connectivity issues an/or maintenance windows.

One possibility is defining the zone you are providing services for on a standalone server and setting up other servers as secondary of that zone but YMMV.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
I second that. The DNS system is designed to support Master/Slave  per zone's.
including fast updates even for dynamic zones.   Updates doesn't scale beyond a few thousand of names in short time.
DrDave242Principal Support Engineer

Commented:
Given the way round robin DNS works, I'll be very surprised if this only occurs when that link is down. If both host records are registered in the same zone, both records are going to get returned for every query for the corresponding name; only the order in which they're returned will differ. There may be some application-level caching going on that gets around this, though; I know some web browsers will cache DNS responses separately from the DNS resolver cache that's maintained by the OS, for example.

So, here's my question: do you need those public addresses registered in DNS at all? It seems like internal machines would always want to resolve those names to their corresponding internal addresses.
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

MichelangeloSystem Administrator / Postmaster

Commented:
OP does not mention round robin. He uses conditional forwarding to resolve internal Addresses.
DrDave242Principal Support Engineer

Commented:
True; I'm making a couple of assumptions. The OP mentions that there are a couple of domains involved, which I'm assuming are Active Directory domains. Because of that, I'm also assuming the DNS servers are running Windows, in which round robin is enabled by default and almost never disabled in my experience.
MichelangeloSystem Administrator / Postmaster

Commented:
Good point - I am convinced that no roun robin is there, though. He has a conditional forwarding for domain2 to  dns2 which answers with just the private ip, and no redundance for DNSes.
This kind of issues arise when using the same internaland external Domain Names. What do you think.
DrDave242Principal Support Engineer

Commented:
I'm hoping we'll get some more information from RBG IT.

You can control DNS responses based on the source of the query in Windows Server 2016 with DNS Policies, but they're a bit of a pain to configure (PowerShell only, of course) and aren't available in previous versions.

Author

Commented:
Thanks guys. We use 2 AD domains and everything is based on windows. The internal clients should always resolve an internal address but we do also need public dns for clients outside the private network.
I’m configuring a second internal dns server and will add this to the server list in conditional forwarders...

Thanks
John

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial