Different dns on sites of the same windows domain

Question

We have a windows 2012 domain with 2 different sites connected via vpn.

Site 1 has a dc with dns, Site 2 has two dc with dns

Most dns zones are integrated into AD, so a change is reflected on all 3 dns.

Site 1 and Site 2 have both more subnets (please consider a lan and dmz) while the vpn links only lan to lan. In both dmz there are servers which are accessible from internet so there is no need to add other vpn for every combination of subnets between the sites.

What I would like to achieve is to access a dmz server through its private address if I'm in the same site, through the associated public ip if it is in the other site.

So name resolution should be different based on the site where the client is. May be I can create zones not integrated in AD, so they can be different on each dns.

I assume clients on site1 will ask dns on site1 first, otherwise this configuration will not work.

Site 2 has two dns: do I have to manually align them for non AD integrated zones ? Can I do something magic with primary/secondary/stub zones ?

Answer 1

You can achieve this with Windows DNS servers once they are upgraded to Server 2016. In that release, you can use DNS Policies to achieve Split-Brain DNS.

Failing that, you might be able to achieve this by removing the A record from the AD-integrated zone, and creating a new Forward Lookup Zone (non-AD-Integrated) on each DC/DNS server, and create a blank A record with the IP address for which you want to have the name resolve for the site that the DC/DNS server primarily serves. This is not foolproof, and would not be reliable.

In the past, I have achieved this by using firewall trickery (my apologies, but its been several years since I performed this) whereby the firewall was configured to route requests directly to the published resource rather than attempting a hairpin on the firewall.