I have a DNS and active directory server behind NAT (I have to). On DNS server AD automatically adds a NS record for private ip address. How can I set a policy to response local NS record for a specific subnet?

abc.com private public

It returns two NS records when I query name server.

I need a policy like this;

When query comes from it should return NS record
When query comes from any other ip it should retun NS record
  • 149
  • 2
  • 7

1 Answers1


You may use the DisableNSRecordsAutoCreation registry value to disable automatic NS record registration by domain controllers:

Key: HKLM\System\CurrentControlSet\Services\DNS\Parameters\
Value: DisableNSRecordsAutoCreation
Value Type: REG_DWORD
Value Data: 0x1

You should also use the PublishAddresses registry value to prevent your external/public address from being announced internally.

Key: HKLM\System\CurrentControlSet\Services\DNS\Parameters\
Value: PublishAddresses  
Value Type: REG_SZ
Value Data: ip address(es), separated by spaces if multiple  

To fully support the requirements, you may be able to utilize the new features of Windows Server 2016 DNS. See the following:


DNS Policies

You can use DNS Policy for Geo-Location based traffic management, intelligent DNS responses based on the time of day, to manage a single DNS server configured for split-brain deployment, applying filters on DNS queries, and more. The following items provide more detail about these capabilities.

  • Geo-Location Based Traffic Management. You can use DNS Policy to allow primary and secondary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.

  • Split Brain DNS. With split-brain DNS, DNS records are split into different Zone Scopes on the same DNS server, and DNS clients receive a response based on whether the clients are internal or external clients. You can configure split-brain DNS for Active Directory integrated zones or for zones on standalone DNS servers.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • DisableNSRecordsAutoCreation is working great! I want to learn why AD automatically adds this records? I know the DNS Policies feature but I couldn't write policy for NS records. – Baran Mar 21 '17 at 19:44