0

I came across a customer site Windows DNS server that has it's external domain in a forward lookup zone on the AD server. There are some A and CNAME records here that we really don't want to be public. I'm wondering if we can configure DNS to point upstream to their SOA if it doesn't have an answer to a query for this domain, say searching for autodiscover.domain.com.

The upstream is a BIND DNS controlled by a web hosting company. I don't want to transfer zones and overwrite the static entries here, just reach out upstream if we don't know.

Is this possible? what's the mechanism? It's not really a split-DNS. I modified the SOA record but it doesn't do a recursive query upstream if it doesn't know.

Thanks,

Dacid Salin
  • 204
  • 4
  • 12

2 Answers2

1

The DNS server is authoritative for the zone. Any queries for the zone records will be answered by the server. If no record matches the query then the server will respond with an NXDOMAIN. Windows DNS won't forward the query to an upstream server.

What you can do is to create a zone for each of the records and create an "apex" A record in the zone for the ip address that each of those records should resolve to. This will make the server authoritative for only those "subdomains" and the server will forward all queries for the parent domain to the external DNS servers.

So... you'd create a zone named www.domain.com and then you'd create an "apex" A record in the zone with the ip address that www.domain.com should resolve to. Rinse and repeat for the other records.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Looking into this, I see what you are speaking about. But there aren't any subdomains that need the server to be athoritative for. I understand I'll create an apex A record under domain.com named domain.com and it will have the ip address it resolves to. Some of our clients have AD domains that are named the same as their external domain which is a problem and I'm just trying to get resolution to work properly without static entries locally, but there aren't that many to manually do, so I'll built out the few manual (mostly autodiscover) records that need to be done. – Dacid Salin Jun 01 '18 at 17:58
0

The simplest thing to do is just manually copy everything from the hosting company DNS to AD DNS. If you rarely make changes to the hosting company DNS, this is the least headache approach.

The root cause of this problem is that the AD domain matches the public domain. The correct way to fix this is to set up AD as a subdomain. With greenfield implementations, this is easy. Migrating an existing AD to a subdomain is difficult.

See Active Directory Split-Zone vs SubDomain Domain Name

longneck
  • 23,082
  • 4
  • 52
  • 86
  • Thanks for the reply. I know I can do that and it's easy, but I'm looking for a dynamic solution that I can use as a blanket approach across multiple clients so I don't have to remember who has what local static entries if a hosted DNS is updated. – Dacid Salin May 30 '18 at 20:21
  • There is no pre-existing solution that I am aware of. See my edit. – longneck May 30 '18 at 20:25