3

I work for a company with a split DNS configuration on the AD domain. I know that this is less than ideal, but I'm not in a position to drive change in this area. I own authoritative DNS (internal and external) where Active Directory is not involved, and another team owns the domain controllers.

Background:

  • We have a split domain called example.com which lives on all the domain controllers.
  • The DCs are configured to use forwarders for all domains that they are not authoritative for.
  • There is a subdomain of that (sub.example.com) that is delegated to public IP addresses in a DMZ using NS records. I have a need to eliminate these IP addresses use internal IP addresses that are outside the DMZ.
  • The new IP addresses are reachable from the forwarders, but not the domain controllers.

To represent this visually:

    example.com. (DCs are authoritative)
sub.example.com. (subdomain not managed by the DCs)

I would like to have the sub.example.com. NS records converted to a conditional forwarder that sends traffic along to the standard forwarders, but I am being told by our domain admins that Windows DNS will not allow a forwarder within a forward lookup zone.

Is it true that this is an unsupported configuration? Other DNS products have no problem with a forwarder that is beneath an authoritative zone, so I want to make sure I'm working with the correct information before I move on to a different strategy, such as firewall holes for every DC that bypass the forwarders. (argh)

I've already reviewed Forward requests for subdomain to another DNS server in Windows 2k3 and the accepted answer that recommends a NS delegation, which doesn't answer this question.

Andrew B
  • 31,858
  • 12
  • 90
  • 128

1 Answers1

2

I'll preface this with the disclaimer that I'm not very familiar with the MSDNS specifics.

First of all, I can confirm that if you try to just add such a forwarding zone (eg a sub.example.com forwarding zone when example.com exists as a regular zone) you are met with this error dialog:

---------------------------
DNS
---------------------------
A problem occurred while trying to add the conditional forwarder.
A zone configuration problem occurred.
---------------------------
OK   
---------------------------

(Glorious ASCII representation auto-generated by Windows.)


However, as is noted in the Using Forwarders documentation (emphasis added):

A DNS server cannot forward queries for the domain names in the zones it hosts. For example, the authoritative DNS server for the zone microsoft.com cannot forward queries according to the domain name microsoft.com. The DNS server authoritative for microsoft.com can forward queries for DNS names that end with example.microsoft.com, if example.microsoft.com is delegated to another DNS server.

Ie, if you delegate sub.example.com elsewhere first (limiting the scope of your example.com zone) it then does allow you to add a forwarding zone for sub.example.com.

Whether going down this path actually works out for you will probably depend on the nitty gritty details of your scenario.

For what it's worth, I did notice is that it appears that MSDNS for some reason ignores the RD (recursion desired) bit for forwarding zones (ie, it forwards even when RD is not set), so it appears the above mentioned delegation is not actually visible in this setup.

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • Dead on. This is looking promising in our testing so far. I'm going to leave the question open for a few more days but it's looking like this is going to solve our problem. Thank you. – Andrew B Jun 03 '15 at 00:56
  • Just a follow up: we ended up deploying this workaround to our DCs nationwide and it's working great. Thanks again. – Andrew B Jun 16 '15 at 10:47