2

I currently have set up my Windows DNS to forward to OpenDNS. However, all traffic in OpenDNS shows up from the IP of my local Windows DNS server. Is there any way I can make the individual devices look to the local DNS and if they don't find what they are looking for look at OpenDNS. This way - OpenDNS would see the devices themselves and not just the Windows DNS Server. Or is there a way to have a public DNS and a private DNS?

All of my devices do not share a single IP - but open DNS is seeing the dns requests coming from our local DNS server which is required for active directory.

Thanks in advance for your help!

dingerkingh
  • 123
  • 3
  • Is this an AD domain? – joeqwerty Aug 15 '14 at 17:13
  • Yes - but it is on a public ip address scheme but is behind a firewall. However - it is not NAT. – dingerkingh Aug 15 '14 at 17:22
  • 2
    OK, then all of your domain clients should only use your AD DNS server(s) for DNS. Do not configure any alternate DNS servers on any of the domain clients, including the DC. Leave the OpenDNS forwarders in the configuration of the DNS server and leave it at that. Configuring any domain clients to use DNS servers other than your AD DNS server(s) goes against best practice and is asking for problems. – joeqwerty Aug 15 '14 at 17:27
  • Yeah - the problem I am having though is OpenDNS sees all traffic coming from the AD DNS server. So it is applying the same filter to everyone. I need OpenDNS to realize that the machines are all on separate IP addresses if possible in some way. – dingerkingh Aug 15 '14 at 17:38
  • You can't do this. Also, forwarding to OpenDNS public servers is a bad idea, as they return their own data for non-existent domains by default. ('NX domain redirection') – BlueCompute Aug 18 '14 at 11:18

1 Answers1

3

We occasionally get questions about how one can selectively look up DNS domains at the client level, but it's simply not the job of the client to do that. Resolver libraries are dumb by design and expect the upstream recursor to do the heavy lifting for them.

  • The only way to solve this problem at the client level is for the client itself to operate a DNS server (not necessarily a full one, dnsmasq and the like are common solutions in Unix space), and have the client use 127.0.0.1 for its DNS. This is rarely ever done on Windows servers.
  • The recursor (Windows DNS) is responsible for preventing leakage to the upstream forwarder (OpenDNS). If the request is for a FQDN managed by AD, that query should not hit OpenDNS. Short names (foo as opposed to foo.example.com) will leak if you have a search suffix defined on the client that is not a domain your AD infrastructure considers itself authoritative for.

If this answer does not satisfy you, please update your question to include the search domains used by the client and an example of a query that is leaking to OpenDNS.

Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • Do you know if there is a way to have AD DNS forward the request on to OpenDNS so that OpenDNS could see which device the request was coming from? – dingerkingh Aug 15 '14 at 18:11
  • @dingerkingh OpenDNS would see the source IP of the server performing the recursion (or more likely the source IP of your outbound NAT address), not the workstation. If I'm not understanding this correctly, I strongly recommend updating your question to include an example of the behavior in question. We may not be using the same terms. – Andrew B Aug 15 '14 at 18:13