Deny access to a DNS host for a subnet

Hello is it possible to deny access to a A host in Windows 2016 DNS for a subnet

So for exemple i don't want that the subnet can know about the host OWA

So for exemple if ping OWAi don't want him to know the ip adress

The reason for this is that we have Cellphone and when they connected to the VPN email client don't work because they tried to reach OWA with the internal ip

So i want them to use the external public ip of OWA instead when connected to the VPN

Thanks for the help !
Jean-François GuénetNetwork AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
Either create some firewall rule to block the (or better, reject ) the connections from there
or null route (black hole route...) the subnet you want to block.

Some DNS servers have their own access rules.
timgreen7077Exchange EngineerCommented:
VPN is basically your internal network so OWA should work just fine, but the native email client may be affected and not work, but OWA should still work. is that what you are experiencing?
If you blocked access to the DNS server for your VPN clients, then ALL DNS will fail for them. You can't assign public DNS to them either, because then all name resolution to your internal network will be broken.

As I see things, in order to make this work at all, you need to modify the firewall to allow access to the OWA server, at the private IP address, while on the VPN. Can the VPN clients even hit OWA on the public IP?

A slightly different route, is to change internal DNS to point to the public IP for OWA, and to modify the firewall so that everything from the inside, including all inside networks and the VPN.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Justin YeungSenior Systems EngineerCommented:
for windows DNS, you are out of luck.

I do not know what is the purpose of this, however the work around is setup a standalone DNS (I assume you are in DMZ), may be 2 servers as the DNS servers for the subnet.

you can configure any record as you wish without breaking the production DNS. (a zone that only sits in the DMZ dns)
Jean-François GuénetNetwork AdministratorAuthor Commented:
Ive done what kevinhsieh told.  So i create a NAT Loopback so internal client can access OWA with external ip address and my dns host OWA now point to the external ip address instead of private ip

Thanks !
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.