Conditional routing of DNS request based on domain

[Dan Harpold]

Here's an interesting one:

Client has a VPN connection from home network to office. Wants DNS
resolution of office machines through the VPN, without routing _all_ DNS
traffic thtough the VPN tunnel. Has DNS server in home office. office domain
structure is as follows:

company.com
us.company.com

All resources are in the us.company.com domain, and that is where the
internal DNS servers are. Public domain is company.com.

I set up the home office DNS server with a new primary zone for company.com,
then delegated the us.company.com queries to the internal servers over the
VPN.

Unfortunately, I could not figure out a good way to send all of the queries
for the company.com domain out to the public, external DNS services. The
client does not want to enable zone transfers to the home office server.

Is there any way to tell the company.com zone to use an external, public DNS
server to resolve all of the queries? The home office server is configured
to use a forwarder from the ISP, and everything works fine. We had to
hard-code in the external DNS entries for company.com, which was not really
a big deal, but I am curious if there is a better way.

Any thought?

 

[Simon Geary]

Windows Server 2003 DNS has a new conditional forwarding feature. It sounds
ideally suited to your situation.
http://support.microsoft.com/?id=304491

 

[Jonathan de Boyne Pollard]

DH> Client has a VPN connection from home network to office.
DH> Wants DNS resolution of office machines through the VPN,
DH> without routing _all_ DNS traffic thtough the VPN tunnel.
DH> Has DNS server in home office.

This is just "split horizon" DNS service with separate content DNS
servers. You've already set up the two sets of content DNS servers.
The first set of content DNS servers comprises the public ones,
publishing the public DNS database; and the second set comprises
the "internal" content DNS servers at the "office" end of the VPN
connection.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html#SeparateContentServers>

The remaining part of the setup is telling the resolving proxy DNS
server at the "home" end of the VPN connection (i.e. the client's
proxy DNS server) to override the delegations published in the
public DNS database and to instead consult the second set of content
DNS servers. How to do this is described on the web page.

If the client does not have version 2003 of Microsoft's DNS server,
upgrade.

DH> I set up the home office DNS server with a new primary zone
DH> for company.com, [...]

Delete this.

DH> The home office server is configured to use a forwarder from [sic]
DH> the ISP, [...]

This will conflict with the database overrides. Either
(a) stop the DNS server from forwarding queries to the
forwardee, ensure that the egregiously misnamed "do not use recursion"
option is disabled, ensure that you have (valid) Root Hints (and not
a "." "zone"), and knock a bigger DNS-shaped hole in whatever firewall
there is;
or
(b) use "conditional forwarders" instead of "stub zones"
(which has a slightly greater maintenance overhead).

<URL:http://homepages.tesco.net./~J.deBo...ed-firewall-holes.html#InternalResolvingProxy>