second primary zone does not utilize forwarding

  • Thread starter Thread starter Milan
  • Start date Start date
M

Milan

First our network design is a little conveluted due to where servers are
located, but let me summarize with this:

Domain: Windows 2000
DNS: Windows 2000 AD integrated
First primary domain: myclient.com
Second Primary domain: mycompany.com

The problem is rather simple. If a device requests a record on myclient.com
zone that is not local, the DNS simply forwards it to the internet - works
great. If a device requests a record on mycompany.com zone that is not
local, it does not forward.

I am leaning towards this being by design, but I don't know why. Both are
primary zones under the AD DNS umbrella, it's just the one that is the main
AD zone is the one that fowards correctly.

I have it setup this way because I have a dedicated link between my client
and my company. I host some of my clients servers at my companies
datacenter. Certain records I want to go over the dedicated link and some I
want to go over the internet. I just find it a pain that I have to be sure
to maintain mycompany.com's zone manually with all the potential
internet-bound hosts I may use. I was hoping that mycompany.com zone would
forward what it doesn't have to internet just as the myclient.com does.

Can someone explain why this is? I am sure it is by design, but I can't
seem to grasp the reason.

Thank you for reading.
Milan
 
Milan said:
First our network design is a little conveluted due to where servers
are located, but let me summarize with this:

Domain: Windows 2000
DNS: Windows 2000 AD integrated
First primary domain: myclient.com
Second Primary domain: mycompany.com

The problem is rather simple. If a device requests a record on
myclient.com zone that is not local, the DNS simply forwards it to
the internet - works great.
Click to expand...
If this is true it is broken. DNS server will not forward requests for names
it is authoritative for. The closest DNS can come to this is by checking a
WINS server for unknown hosts. But if a DNS server has a zone for
myclient.com, it will not forward any requests, unless that zone is a stub
zone, which Windows 2000 has no support for.
If a device requests a record on
mycompany.com zone that is not local, it does not forward.
Click to expand...

It would not, since it holds authority, the only time it will send a query
out for hosts it is not authoritative for, is for names that are explicitly
delegated.
I am leaning towards this being by design, but I don't know why.
Both are primary zones under the AD DNS umbrella, it's just the one
that is the main AD zone is the one that fowards correctly.

I have it setup this way because I have a dedicated link between my
client and my company. I host some of my clients servers at my
companies datacenter. Certain records I want to go over the
dedicated link and some I want to go over the internet. I just find
it a pain that I have to be sure to maintain mycompany.com's zone
manually with all the potential internet-bound hosts I may use. I
was hoping that mycompany.com zone would forward what it doesn't have
to internet just as the myclient.com does.

Can someone explain why this is? I am sure it is by design, but I
can't seem to grasp the reason.
Click to expand...

I would like to know why DNS is forwarding for myclient.com if it has the
zone. Can you post a sample query using nslookup -d2 showing this behavior?
 
Reply is in-line.

Kevin D. Goodknecht Sr. said:
If this is true it is broken. DNS server will not forward requests for names
it is authoritative for. The closest DNS can come to this is by checking a
WINS server for unknown hosts. But if a DNS server has a zone for
myclient.com, it will not forward any requests, unless that zone is a stub
zone, which Windows 2000 has no support for.
Click to expand...

Thank you, this actually answers all my questions. I'm sorry though that I did not make myself clear here. I did not mean the server would forward requests for its own domain, I meant a request like yahoo.com. I noted myclient.com because that is the domain of the client station and the DNS zone for which he would attempt to resolve the address.
It would not, since it holds authority, the only time it will send a query
out for hosts it is not authoritative for, is for names that are explicitly
delegated.
Click to expand...

Yes, it makes sense now based on what you said above. I will have to manually maintain the mycompany.com records because it will not forward requests for a domain that it holds ownership. This is what I did not know, but now that I do, it's clear as day. Thank you for taking the time to explain.
 
Back
Top