new DNS zone with Forward to external DNS

Question

I read DNS and Forward Lookup Zones but I did not find the answer there.

I have Microsoft Domain with Active directory server, and DNS server for internal use. My local domain called example.local and it is managed by this server. I need to be able to add locally example.com (Which managed by external public DNS server like GoDaddy), But I need the local DNS server to forward the lookup in case of a non-existent record.

For example: on the public DNS server i have www.example.com -> 1.2.3.4

On the local DNS I have mail.example.com -> 2.3.4.5

Now, I need to be able to lookup both www and mail.example.com from Internal (It is OK of course to lookup only www from external), but I do not want to overwrite it; instead I want to put only mail.example.com on the local and that the DNS server will forward it to the ISP DNS.

Is it possible?

score 3 · Answer 1 · answered May 19 '14 at 14:48

3

Would something like this work for you:

enter image description here

answered May 19 '14 at 14:48

Dusan Bajic

2,046
1
17
20

Oh, excelent idea! I will try it. – gabi May 19 '14 at 14:54
disclaimer: I would never do this in my environment. – Dusan Bajic May 19 '14 at 15:01
Yes, i only need it for 1 A record – gabi May 19 '14 at 15:02
1

I know this is an old question/answer but incase someone can is it possible to understand why this is not recommended? (apart from other servers then also not being able to talk externally just to this address). – medoix Nov 16 '15 at 04:43
1

There is nothing technically wrong with this, but if you do it routinely it might end up being very difficult to maintain. – Dusan Bajic Nov 16 '15 at 07:38

score 2 · Answer 2 · answered May 19 '14 at 13:08

2

I hope I understood the question, but I'll include 2 scenarios just in case:

SCENARIO #1 - you want to forward unresolved requests externally

This is easy to do, you can either leave the default alone, which will forward unresolved DNS lookups to the root hint servers. Or you can go to the Forwarders tab inside Properties of your DNS server in the DNS admin tool. Set the appropriate external FQDN or IP address of the external DNS server you want responsible for forwarded lookups (for instance you could use your ISPs DNS server, or something like 8.8.8.8 which is Google's public DNS server).

SCENARIO #2 - you want to resolve names you own like mail.example.com locally

If you want to resolve names that exist normally externally to internal IP addresses, for instance your mail server that you host internally, then you can create authoritative DNS forward lookup zones for that domain name (example.com). Then add ALL of the A records required, such as MAIL, WWW, FTP, etc. and set their IPs to either their internal OR their external IP addressses (if they aren't hosted locally). You would need to include all the A records like WWW that you want internal users to be able to access via DNS FQDN, because once the local DNS server(s) become authoritative for that domain name it won't forward on unresolved hostnames externally at that point.

answered May 19 '14 at 13:08

TheCleaner

32,352
26
126
188

On Scenario 2 you are saying to build new locally zone and put all my A records in it, right? like overwrite the external DNS. On scenario 1 you are saying to do what I need (I think), but today I already have forwards - today I have no example.com zone, so all my example.com records lookup forwards to my ISP. the issue is that I am adding new zone (example.com) to my DNS server, I am not forwarded to the external DNS, It keep saying the record not found.. – gabi May 19 '14 at 13:22
Scenario #2 would "work" but it's a misuse of DNS in my opinion, as it blocks internal users from accessing the actual authoritative DNS server (i.e. the external one) for example.com. – Ryan Ries May 19 '14 at 13:24
the issue is I need to access different IP from internal and from external.. for example, I need the users on the office to go to demo.example.com as 1.2.3.4 and external users on the internet to go to demo.example.com to 20.30.40.50 ... Is there way to do it beside overwriting the DNS domain (And adding future record twice, one for the world one and one for my internal one). Thanks. – gabi May 19 '14 at 13:29
I don't know of another way @gabi besides duplicating zones internally and externally (scenario #2). A possible alternative that might be better would be to point internal users to the internal FQDN like mail.example.local instead. – TheCleaner May 19 '14 at 13:58

Ryan Ries · Answer 3 · 2014-05-19T13:19:21.887

Maybe you could do something funky with Bind views, but not with Microsoft DNS. With Microsoft DNS, a server is either authoritative for a zone, or it is not. There is no "semi-authoritative."

You can set up a conditional forwarder for example.com to forward all queries for example.com to the specified name servers. You can set up a stub zone for example.com to forward all queries for example.com to the specified name servers. But not like what you're talking about. If you set up a Forward Lookup Zone for example.com on your internal DNS server, then your DNS will simply start returning NXDOMAIN for every query for *.example.com that isn't in your lookup zone.

My basic advice would be (assuming you own example.com) would be to name your internal Active Directory as a subdomain of example.com, such as corp.example.com for example. Then your internal clients should be configured to look for mail.corp.example.com when they want to use the internal mail server, and mail.example.com when they want to use the external mail server.

what is that NXDOMAIN ? can I use it to ask other specific DNS server for the records? — gabi, May 19 '14 at 13:24
NXDOMAIN is the response code that DNS servers return to the client when a record is not found in a zone for which that DNS server is supposedly authoritative. (Being authoritative for a zone means there are no DNS servers higher up in the hierarchy to forward the query to.) — Ryan Ries, May 19 '14 at 13:27

new DNS zone with Forward to external DNS

3 Answers3