Can an authorative DNS server be configured to recurse when unable to find record locally?Can I create DNS...
Skis versus snow shoes - when to choose which for travelling the backcountry?
Do you continue making death saving throws while petrified?
Misplaced tyre lever - alternatives?
Does "legal poaching" exist?
What should the omniscient narrator call a character?
How do you say "powers of ten"?
Did Amazon pay $0 in taxes last year?
It took me a lot of time to make this, pls like. (YouTube Comments #1)
Is it possible to counterspell the revised Artificer?
Where is the fallacy here?
How do I deal with being envious of my own players?
Movie: Scientists travel to the future to avoid nuclear war, last surviving one is used as fuel by future humans
What is better: yes / no radio, or simple checkbox?
Why won't the strings command stop?
Giving a talk in my old university, how prominently should I tell students my salary?
Why are special aircraft used for the carriers in the United States Navy?
How can I be pwned if I'm not registered on the compromised site?
Why is it "take a leak?"
Can I become debt free or should I file for bankruptcy? How do I manage my debt and finances?
What are the issues with an additional (limited) concentration slot instead of Bladesong?
I can't die. Who am I?
How can I create a Table like this in Latex?
Change only a specific Parameter on a function
When was drinking water recognized as crucial in marathon running?
Can an authorative DNS server be configured to recurse when unable to find record locally?
Can I create DNS records for some hosts, delegate other queries in the same domain to another DNS server?List all DNS records in a domain using dig?Windows DNS Server use public DNS for records not in Forward ZoneWindows 2016 DNS Server: not using forwarder when recursively resolving CNAME in delegated zone?Can't add DNS CNAME recordDNS on Windows Server 2016: Not performing recursive lookup when name server returns a CNAMEServer 2016 recursive for all except 1 DNS record?Forward Unresolved DNS Queries for Active DirectoryCan I use server 2016 DNS policies to return alternative IPs but only for some records in a domain?Microsoft DNS behaving strangely
Hopefully this is possible to do.
The question
Is it possible to configure a DNS server that is authorative for a given domain, to "fallback" and recurse via Forwarders / Root Hints when it cannot find the record locally?
The scenario
To give a concrete scenario, imagine a private (internal) network that is served by an internal Active Directory-backed DNS server (10.10.10.10) for the domain poorlyplanned.com
Internal clients that query for records like hostgroupA.poorlyplanned.com get their answer from the local internal DNS server (10.10.10.10).
Queries from internal clients for other domains are recursively resolved via the internal DNS server (10.10.10.10) using forwarders/root hints.
Additionally, there is a public DNS server (large highly available load balanced servers actually), say at IP 1.2.3.4 and is authorative for the same domain name poorlyplanned.com.
External clients that query for records go directly to the public DNS server at 1.2.3.4 for resolution. For example, a public query for webserverX.poorlyplanned.com is resolved directly from public DNS server 1.2.3.4 and returns say 50.51.52.53 to the client. When I say resolved directly, I mean that the NS records point to the public DNS server and the query is not going via the internal server (it isn't publicly accessible anyway).
The internal DNS gets populated with private DNS records for poorlyplanned.com that are not intended to be publicly resolvable, whereas the external DNS gets populated with public DNS records (for the same domain) that should be publicly resolvable.
So far, pretty standard DNS stuff, though arguably not ideal.
The problem
Internal clients cannot resolve public DNS records like webserverx.poorlyplanned.com because these records are not defined on the internal DNS server. Since the internal DNS server is authorative for the same poorlyplanned.com domain, it simply returns a 'DNS record not found' result after looking at the internal records only - as authorative DNS server normally do.
A constraint we have is that the public DNS server is administered by a 3rd party and has frequent churn, making it a very hard task to manually maintain a duplicate set of records on the internal DNS server, without dropping the ball.
As a workaround, we tried adding additional client-side DNS lookup server entries pointing to the external DNS servers (in an attempt to supplement the internal DNS servers) but that doesn't work because both are authorative and the client doesn't try subsequent servers on the list once one returns with a result.
Split-brain or horizontal configurations are not feasible either because those have both servers containing the same DNS records, just with different IPs or can share zone files.
However, if it were possible to have the internal DNS server recursively resolve via forwarder/root hints when it cannot find the record locally that would work a charm. But how?
I realise that if the internal domain was originally configured with some sub-domain offset like int.poorlyplanned.com then we don't have a problem. Unfortunately the scale of the resources already deployed and the sites involved, is prohibitive of such a change.
Surely this isn't a unique problem?
I hope I've expressed myself clearly enough - please let me know if I can help clarify.
Thanks for reading/helping!
domain-name-system active-directory windows-server-2016 internal-dns split-dns
asked 2 mins ago
JaansJaans
1166
add a comment |
Hopefully this is possible to do.
The question
Is it possible to configure a DNS server that is authorative for a given domain, to "fallback" and recurse via Forwarders / Root Hints when it cannot find the record locally?
The scenario
To give a concrete scenario, imagine a private (internal) network that is served by an internal Active Directory-backed DNS server (10.10.10.10) for the domain poorlyplanned.com
Internal clients that query for records like hostgroupA.poorlyplanned.com get their answer from the local internal DNS server (10.10.10.10).
Queries from internal clients for other domains are recursively resolved via the internal DNS server (10.10.10.10) using forwarders/root hints.
Additionally, there is a public DNS server (large highly available load balanced servers actually), say at IP 1.2.3.4 and is authorative for the same domain name poorlyplanned.com.
External clients that query for records go directly to the public DNS server at 1.2.3.4 for resolution. For example, a public query for webserverX.poorlyplanned.com is resolved directly from public DNS server 1.2.3.4 and returns say 50.51.52.53 to the client. When I say resolved directly, I mean that the NS records point to the public DNS server and the query is not going via the internal server (it isn't publicly accessible anyway).
The internal DNS gets populated with private DNS records for poorlyplanned.com that are not intended to be publicly resolvable, whereas the external DNS gets populated with public DNS records (for the same domain) that should be publicly resolvable.
So far, pretty standard DNS stuff, though arguably not ideal.
The problem
Internal clients cannot resolve public DNS records like webserverx.poorlyplanned.com because these records are not defined on the internal DNS server. Since the internal DNS server is authorative for the same poorlyplanned.com domain, it simply returns a 'DNS record not found' result after looking at the internal records only - as authorative DNS server normally do.
A constraint we have is that the public DNS server is administered by a 3rd party and has frequent churn, making it a very hard task to manually maintain a duplicate set of records on the internal DNS server, without dropping the ball.
As a workaround, we tried adding additional client-side DNS lookup server entries pointing to the external DNS servers (in an attempt to supplement the internal DNS servers) but that doesn't work because both are authorative and the client doesn't try subsequent servers on the list once one returns with a result.
Split-brain or horizontal configurations are not feasible either because those have both servers containing the same DNS records, just with different IPs or can share zone files.
However, if it were possible to have the internal DNS server recursively resolve via forwarder/root hints when it cannot find the record locally that would work a charm. But how?
I realise that if the internal domain was originally configured with some sub-domain offset like int.poorlyplanned.com then we don't have a problem. Unfortunately the scale of the resources already deployed and the sites involved, is prohibitive of such a change.
Surely this isn't a unique problem?
I hope I've expressed myself clearly enough - please let me know if I can help clarify.
Thanks for reading/helping!
domain-name-system active-directory windows-server-2016 internal-dns split-dns
asked 2 mins ago
JaansJaans
1166
add a comment |
Hopefully this is possible to do.
The question
Is it possible to configure a DNS server that is authorative for a given domain, to "fallback" and recurse via Forwarders / Root Hints when it cannot find the record locally?
The scenario
To give a concrete scenario, imagine a private (internal) network that is served by an internal Active Directory-backed DNS server (10.10.10.10) for the domain poorlyplanned.com
Internal clients that query for records like hostgroupA.poorlyplanned.com get their answer from the local internal DNS server (10.10.10.10).
Queries from internal clients for other domains are recursively resolved via the internal DNS server (10.10.10.10) using forwarders/root hints.
Additionally, there is a public DNS server (large highly available load balanced servers actually), say at IP 1.2.3.4 and is authorative for the same domain name poorlyplanned.com.
External clients that query for records go directly to the public DNS server at 1.2.3.4 for resolution. For example, a public query for webserverX.poorlyplanned.com is resolved directly from public DNS server 1.2.3.4 and returns say 50.51.52.53 to the client. When I say resolved directly, I mean that the NS records point to the public DNS server and the query is not going via the internal server (it isn't publicly accessible anyway).
The internal DNS gets populated with private DNS records for poorlyplanned.com that are not intended to be publicly resolvable, whereas the external DNS gets populated with public DNS records (for the same domain) that should be publicly resolvable.
So far, pretty standard DNS stuff, though arguably not ideal.
The problem
Internal clients cannot resolve public DNS records like webserverx.poorlyplanned.com because these records are not defined on the internal DNS server. Since the internal DNS server is authorative for the same poorlyplanned.com domain, it simply returns a 'DNS record not found' result after looking at the internal records only - as authorative DNS server normally do.
A constraint we have is that the public DNS server is administered by a 3rd party and has frequent churn, making it a very hard task to manually maintain a duplicate set of records on the internal DNS server, without dropping the ball.
As a workaround, we tried adding additional client-side DNS lookup server entries pointing to the external DNS servers (in an attempt to supplement the internal DNS servers) but that doesn't work because both are authorative and the client doesn't try subsequent servers on the list once one returns with a result.
Split-brain or horizontal configurations are not feasible either because those have both servers containing the same DNS records, just with different IPs or can share zone files.
However, if it were possible to have the internal DNS server recursively resolve via forwarder/root hints when it cannot find the record locally that would work a charm. But how?
I realise that if the internal domain was originally configured with some sub-domain offset like int.poorlyplanned.com then we don't have a problem. Unfortunately the scale of the resources already deployed and the sites involved, is prohibitive of such a change.
Surely this isn't a unique problem?
I hope I've expressed myself clearly enough - please let me know if I can help clarify.
Thanks for reading/helping!
domain-name-system active-directory windows-server-2016 internal-dns split-dns
asked 2 mins ago
JaansJaans
1166
Hopefully this is possible to do.
The question
Is it possible to configure a DNS server that is authorative for a given domain, to "fallback" and recurse via Forwarders / Root Hints when it cannot find the record locally?
The scenario
To give a concrete scenario, imagine a private (internal) network that is served by an internal Active Directory-backed DNS server (10.10.10.10) for the domain poorlyplanned.com
Internal clients that query for records like hostgroupA.poorlyplanned.com get their answer from the local internal DNS server (10.10.10.10).
Queries from internal clients for other domains are recursively resolved via the internal DNS server (10.10.10.10) using forwarders/root hints.
Additionally, there is a public DNS server (large highly available load balanced servers actually), say at IP 1.2.3.4 and is authorative for the same domain name poorlyplanned.com.
External clients that query for records go directly to the public DNS server at 1.2.3.4 for resolution. For example, a public query for webserverX.poorlyplanned.com is resolved directly from public DNS server 1.2.3.4 and returns say 50.51.52.53 to the client. When I say resolved directly, I mean that the NS records point to the public DNS server and the query is not going via the internal server (it isn't publicly accessible anyway).
The internal DNS gets populated with private DNS records for poorlyplanned.com that are not intended to be publicly resolvable, whereas the external DNS gets populated with public DNS records (for the same domain) that should be publicly resolvable.
So far, pretty standard DNS stuff, though arguably not ideal.
The problem
Internal clients cannot resolve public DNS records like webserverx.poorlyplanned.com because these records are not defined on the internal DNS server. Since the internal DNS server is authorative for the same poorlyplanned.com domain, it simply returns a 'DNS record not found' result after looking at the internal records only - as authorative DNS server normally do.
A constraint we have is that the public DNS server is administered by a 3rd party and has frequent churn, making it a very hard task to manually maintain a duplicate set of records on the internal DNS server, without dropping the ball.
As a workaround, we tried adding additional client-side DNS lookup server entries pointing to the external DNS servers (in an attempt to supplement the internal DNS servers) but that doesn't work because both are authorative and the client doesn't try subsequent servers on the list once one returns with a result.
Split-brain or horizontal configurations are not feasible either because those have both servers containing the same DNS records, just with different IPs or can share zone files.
However, if it were possible to have the internal DNS server recursively resolve via forwarder/root hints when it cannot find the record locally that would work a charm. But how?
I realise that if the internal domain was originally configured with some sub-domain offset like int.poorlyplanned.com then we don't have a problem. Unfortunately the scale of the resources already deployed and the sites involved, is prohibitive of such a change.
Surely this isn't a unique problem?
I hope I've expressed myself clearly enough - please let me know if I can help clarify.
Thanks for reading/helping!
domain-name-system active-directory windows-server-2016 internal-dns split-dns
domain-name-system active-directory windows-server-2016 internal-dns split-dns
asked 2 mins ago
JaansJaans
1166
asked 2 mins ago
JaansJaans
1166
asked 2 mins ago
JaansJaans
1166
asked 2 mins ago
JaansJaans
1166
asked 2 mins ago
JaansJaans
1166
1166
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f957014%2fcan-an-authorative-dns-server-be-configured-to-recurse-when-unable-to-find-recor%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f957014%2fcan-an-authorative-dns-server-be-configured-to-recurse-when-unable-to-find-recor%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
