Windows Server - Internally managing only certain DNS records for a domain

Asked By Sam

16-Nov-09 01:39 PM

Hi,

This might be a bit of a strange one but I'd be really grateful if
someone was able to help me out on it...

We are hosting a sub-domain for another company on our internal web
servers, lets call this sub.other.com.  I need the PCs on our LAN to
be able to resolve its internal IP address rather than the external
one.  However, if I add other.com into my local Active Directory DNS,
it will mean that our LAN PCs will not be able to resolve other
subdomains of other.com, like www.other.com, as the server will say
the name does not exist.

I tried asking them to add a CNAME to sub-other.ourdomain.com so that
I could put in my own A record to this in our local DNS but it appears
that DNS does not work in the way that I thought it does i.e. it
does not make a separate request via our internal server for each alias
when each CNAME record is resolved, instead it just resolves the whole
chain on the first server that is able to answer the question.  This
is much more efficient of course, but does not help me to do what I
need to do.

Temporarily I have resorted to adding local records into the HOSTS
file of computers that need it but this is not very managable.

Anyone got any better ideas of how to do this?

Sam

16-Nov-09 10:46 AM

Hi Sam,

There is nothing stopping you from creating a Forward Lookup Zone called
internal IP (that will appear as "(same as parent folder)" in the console).

Flush the DNS cache on a client and you should find that a lookup for
sub.other.com resolves to the internal IP, while all other hosts under
other.com continue to resolve to public addressing.

HTH

Chris

16-Nov-09 10:51 AM

Incidentally, this is something best configured on the firewall /
router, sometimes referred to as DNS Loopback or NAT Loopback.

If that is not an option, the zone as described in my previous post will
work without compromising name resolution for everything else in that
domain.

Chris

16-Nov-09 01:39 PM

Of course, that makes total sense now I think about it!  The DNS zone
is now working fine, I will look for firewall settings tomorrow.  Thanks
very much for both ideas Chris.

Sam

16-Nov-09 02:07 PM

You're welcome :)

Chris

19-Nov-09 11:56 PM

Very, VERY, *VERY* nice (if not nasty) trick.  I think I will add that to
my tool box.



Grant. . . .

20-Nov-09 12:44 AM

Grant, this is a common trick, err, configuration, so to speak. The reason
it works is that sub.other.com is a specific namespace. If any queries come
in with that namespace or zone, DNS will respond to it with what is in the
zone, otherwise, any queries to "anythingelse.com" will be recursed out
(either forwarders or Roots) because it does not host that zone. It looks
locally first for an exact match before it looks elswhere.

Ace

20-Nov-09 12:50 AM

I understand completely why it work.  I had just never thought of using
it that way.  I love the idea.  I have also shared it with a couple of
groups of fellow administrators already.

it is one of those things that is so simple and obvious it gets missed.
You know, "...cannot see the forest for the trees...".



Grant. . . .

20-Nov-09 08:36 AM

Good analogy. :-)

Ace