How to limit a DNS stub zone to a specific subnet?

Question

I have several Windows Servers on 2 different locations. The servers on Site A have multiple IPs for different subnets configured. Site B can only reach one of Site A's subnets (e.g. 192.168.1.0/24). For the other subnets there's no routing configured, they don't need to be reached from Site B.

Site A and B use different domains and have their own Windows DNS servers. A stub zone is configured on both sides to resolve the other Site's domain names.

The problem with this setup is, that DNS queries on Site B will randomly resolve to one of the multiple IPs the servers on Site A have. But I can only reach one specific subnet from Site B.

As an example: ping Server1.siteA.com will ping 192.168.1.1 the first time, which is okay. The second time the same command will try to ping 10.10.1.1 because my DNS server replied with an IP from a different subnet, which can't be reached.

How can I fix this? Thanks in advance for any help!

score 0 · Answer 1 · answered Jun 01 '17 at 22:09

Not sure where the problem is coming from but for the interim you can configure a Windows Firewall rule (on each DNS Server) that will restrict responses to that subnet.

Each rule should limit access to UDP Port 53 and TCP Ports 53, 139, and 445. You should also disable the default Win Firewall rule that allows access to the DNS Service from any Network. After which you might stop it all together or lead to more clues. Good luck, -Shiftnumlock

How to limit a DNS stub zone to a specific subnet?

1 Answers1