Conditional routing of DNS request based on domain

D

Dan Harpold

Here's an interesting one:

Client has a VPN connection from home network to office. Wants DNS
resolution of office machines through the VPN, without routing _all_ DNS
traffic thtough the VPN tunnel. Has DNS server in home office. office domain
structure is as follows:

company.com
us.company.com

All resources are in the us.company.com domain, and that is where the
internal DNS servers are. Public domain is company.com.

I set up the home office DNS server with a new primary zone for company.com,
then delegated the us.company.com queries to the internal servers over the
VPN.

Unfortunately, I could not figure out a good way to send all of the queries
for the company.com domain out to the public, external DNS services. The
client does not want to enable zone transfers to the home office server.

Is there any way to tell the company.com zone to use an external, public DNS
server to resolve all of the queries? The home office server is configured
to use a forwarder from the ISP, and everything works fine. We had to
hard-code in the external DNS entries for company.com, which was not really
a big deal, but I am curious if there is a better way.

Any thought?
 
J

Jonathan de Boyne Pollard

DH> Client has a VPN connection from home network to office.
DH> Wants DNS resolution of office machines through the VPN,
DH> without routing _all_ DNS traffic thtough the VPN tunnel.
DH> Has DNS server in home office.

This is just "split horizon" DNS service with separate content DNS
servers. You've already set up the two sets of content DNS servers.
The first set of content DNS servers comprises the public ones,
publishing the public DNS database; and the second set comprises
the "internal" content DNS servers at the "office" end of the VPN
connection.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html#SeparateContentServers>

The remaining part of the setup is telling the resolving proxy DNS
server at the "home" end of the VPN connection (i.e. the client's
proxy DNS server) to override the delegations published in the
public DNS database and to instead consult the second set of content
DNS servers. How to do this is described on the web page.

If the client does not have version 2003 of Microsoft's DNS server,
upgrade.

DH> I set up the home office DNS server with a new primary zone
DH> for company.com, [...]

Delete this.

DH> The home office server is configured to use a forwarder from [sic]
DH> the ISP, [...]

This will conflict with the database overrides. Either
(a) stop the DNS server from forwarding queries to the
forwardee, ensure that the egregiously misnamed "do not use recursion"
option is disabled, ensure that you have (valid) Root Hints (and not
a "." "zone"), and knock a bigger DNS-shaped hole in whatever firewall
there is;
or
(b) use "conditional forwarders" instead of "stub zones"
(which has a slightly greater maintenance overhead).

<URL:http://homepages.tesco.net./~J.deBo...ed-firewall-holes.html#InternalResolvingProxy>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

new namespace structure versus DNS structure 6
Is this a split / shadow situation resolving non routable IPs without DNS authourity. 9
Public & Private DNS Issue 6
Internal hosts and external hosts 2
DNS zone delegation question 1
DNS woes and MX Records. 8
Unix Bind and Windows DNS with Dynamic update issues!!! 6
DNS Zones 9

Top