Split DNS

Discussion in 'Windows Server' started by Adrian Marsh (NNTP), Aug 12, 2009.

  1. Hi All,

    I've a DNS puzzle to solve. I'll use an example domain, but in summary,
    I need DNS to resolve an A record differently on one DNS server compared
    to two others.

    setup is:

    domain: some.mydomain.com, defined as a forward lookup zone
    There are 3 AD integrated DCs, all DNS servers, serv1 serv2 and serv3.
    Sites: serv1 and serv2 are in Site-UK, and serv3 is in Site-USA

    I need to set the A record of the domain itself (some.mydomain.com),
    so that if the reply from serv1 and serv2 is given, it resolves to
    192.168.1.1

    but if the query is replied to from serv3, then I need it to give
    192.168.2.1

    This is because Site-USA has different IPSEC tunnels setup, and
    therefore traffic should flow differently, and I'd like to control it
    from DNS.

    The only way I can see to do this myself at present, is to split
    some.mydomain.com away from being AD-integrated, and define it as a
    Primary/Secondary on serv1 and serv2, and then define it as another
    primary on serv3.

    Or is there another way?

    Thanks,

    Adrian
     
    Adrian Marsh (NNTP), Aug 12, 2009
    #1
    1. Advertisements


  2. Why do you want to do that? To control logon traffic or something? For logon
    traffic control, implement Active Directory Sites.

    However, if it is an internal website resource name you want to create with
    different names, such as intranet.mydomain.com, simply create multiple
    entries for it with different IPs. The client, with NetMask Ordering enabled
    (default), will pick the IP with the subnet closer to it's own.

    Otherwise, this is not possible with Windows DNS, and if it's a name related
    to a DC, it will only cause major problems with AD if you were to implement
    what you're suggesting.

    Also, just as an FYI, there is a specific newsgroup for DNS questions:
    microsoft.public.windows.server.dns.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration
    among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Aug 12, 2009
    #2
    1. Advertisements

  3. Hi Ace,

    Its basically because of the IP layout. Its not AD or even PC-based
    traffic, but back to my cisco phones again. They access the PBX via DNS
    lookups. I can hack the config files of the phones used in Site-USA to
    use static IPs instead of DNS names, but I'd rather keep phone configs
    the same across the company (one config), and control it centrally via
    DNS. Also if I work by direct IPs, then some fucntionality of those
    phones would stop working.

    Using DNS, the phones will work when placed anywhere in the world, but
    it makes sense to keep intra-company traffic local within our IPSEC
    tunnels. So in the UK, I'd need to resolve to a public IP (which is
    actually still local for that network), but in the US, I'd like the
    traffic to flow via IPSEC rather than head out over the public internet.
    That all helps protect the VoIP traffic.

    But that means that I need different resolution based on location.

    I do make use of AD Sites, but are you saying these can somehow apply to
    DNS too ?

    My method of primary/secondary would work, but its not very clean to do
    that.

    Will re-post to the other group if I dont figure it out.

    Thanks

    Adrian
     
    Adrian Marsh (NNTP), Aug 12, 2009
    #3
  4. Well my idea did work...
    I created a Primary non-AD zone on Serv1, a secondary from that on
    Serv2, and then another Primary on serv3. That way I get the result I
    wanted, but its not very clean...
     
    Adrian Marsh (NNTP), Aug 12, 2009
    #4
  5. Adrian Marsh (NNTP)

    Grant Taylor Guest

    First, are each of your sites in a different DNS (sub)domain? If they
    are, I would try a simple service name with out a domain and let the
    site configured search domain append and thus find the proper server.

    I.e. point your client to "pbx" and let the site searchnames of
    "site1.<domain>.<tld>" or "site2.<domain>.<tld>" or
    "site3.<domain>.<tld>" be appended. Thus based on your search domains
    you will ultimately be resolving "pbx.site1.<domain>.<tld>" or
    "pbx.site2.<domain>.<tld>" or "pbx.site3.<domain>.<tld>". This will
    allow you to very easily have the three different names resolve to where
    ever you want them to for each site.
    Hum. I would not think you would want your VoIP traffic to pass through
    an IPSec tunnel for call quality reasons.
    More the other way around. AD Sites (partially) rely on DNS to find
    things specific to the site the client is in.



    Grant. . . .
     
    Grant Taylor, Aug 12, 2009
    #5
  6. Hi Grant,

    No its all one AD domain and all one DNS domain. I might break it up at
    some point, but thats a load of work to do... and its a small number of
    folks abroad.

    My DNS setup would work, but Ive just thought of a problem. If my USA
    primary DNS server fails, then the DHCP config is to use the UK as a
    secondary, in which case the DNS for this host would lookup wrong...

    So back to the drawing board...
     
    Adrian Marsh (NNTP), Aug 12, 2009
    #6

  7. It sounds like you'll need to use two DNS servers at that location and not
    specify the UK DNS as the second entry. However, your idea is interesting,
    despite the additional administrative overhead.

    Cheers!

    Ace
     
    Ace Fekay [MCT], Aug 12, 2009
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.