Conditional Forwarder or DNS Stub Zone to Non-Authoritative DNS Zone

Question

How could I go about forwarding DNS lookups to a non-authorative zone, in a sort of 'next hop' scenario?

The setups is as follows:

One ADDS Domain (contosob.local) which contains two DNS servers, these servers need to be able to lookup records for another ADDS domain (contosob.local) however it is not possible for these servers to speak directly. This is merely for security and not due to clashing subnets.

However, there is another domain (notconsoto.local) which can speak to both the contosoa.local domain and the contosob.local domain. The DNS servers within this domain have a Stub Zone which forwards all lookups for contosob.local to it's DNS servers. This is all working as intended.

However, I still need contosoa.local to lookup records for contosob.local. I tried to create another Stub Zone which pointed lookups to the Stub Zone in notcontoso.local but as this is not an authoritative zone it was denied.

How can I hop DNS lookups via notcontoso.local from contosoa.local? I tried adding one of contosob.local's DNS servers to the DNS client on the required hosts however this does not work as Windows doesn't seem to round robin that far down the list.

Answer 1

This is certainly a one off case, but after testing this in my home lab it seems that it is possible to set up conditional forwarders in this manner.

So contosoa.local has a conditional forwarder for contosob.local that goes to notcontoso.local, notcontoso.local has a conditional forwarder for contosob.local that goes to contosob.local. The DNS query for contosob.local from contosoa.local will "flow" through notcontoso.local.

I've tested this successfully and confirmed the traffic flow with Microsoft Network Monitor.

Note that when setting this up, when the wizard prompts that the DNS server is not authoritative for the zone, add it anyway. Once the "chained" conditional forwarders are set up in contosoa.local and notcontoso.local the DNS query for contosob.local from contosoa.local should flow through notcontoso.local.