Secondary DNS

[danths]

Hello:
I have our DNS hosted with the ISP at the same time would like to setup
an additional setup within the office where in I can add only
additional records not present in the primary DNS hosted with the ISP,
these are usually servers yet to be deployed at the hosting center. How
do I go about it. The ISP doesn't allow zone transfers and so I cannot
create a full fledged secondary dns server. I presume I would need some
kind of forwarder so that it queries the primary DNS servers in case
the record was not found in the set at the office. Where should I
start?

Thanks
sd

 

[Herb Martin]

Hello:
I have our DNS hosted with the ISP at the same time would like to setup
an additional setup within the office where in I can add only
additional records not present in the primary DNS hosted with the ISP,

What you are describing is NOT a "secondary DNS" but rather
an architecture referred to as Shadow DNS (aka Split DNS).

You will actually setup another Primary for the same zone.

The result is that you will be able to add additional records
to the internal VERSION of your zone without those records
propagating to the public version of the zone.

Easiest way to do this is usually to setup the internal as a
Secondary (temporarily), copy the records and then change
it to Primary.

these are usually servers yet to be deployed at the hosting center. How
do I go about it. The ISP doesn't allow zone transfers and so I cannot
create a full fledged secondary dns server.

In this case you will have to do the entire thing manually.

I presume I would need some
kind of forwarder so that it queries the primary DNS servers in case
the record was not found in the set at the office. Where should I
start?

Your other choice (if the number of additional records is small)
is to create a separate zone for EVERY record and put in an A
(host address) record with a 'blank name, same as parent'.

Example: FileServer.Example.Com would be a separate zone,
and you would put in an A record for the address of such an
internal server.

 

[danths]

Thanks for the reply.. does it mean that I need to have something like
this
corp.net
www A 222.222.222.1
ftp A 222.222.222.1
mail A 222.222.222.3
MX mail.corp.net

The zone database on the internal zone would look like this:

corp.net
www CNAME webserver.corp.net
ftp CNAME ftpserver.corp.net
mail CNAME exchange.corp.net
exchange A 192.168.1.15
webserver A 192.168.1.16
ftpserver A 192.168.1.17


However it still means that I need to create CNAME entries in the
internal DNS. I would like to reduce the chances of errors if possible
to configure the internal DNS to automatically query the external DNS
if the record wasn't found ( if possible )

Thanks
sd

 

[Herb Martin]

Thanks for the reply.. does it mean that I need to have something like
this
corp.net
www A 222.222.222.1
ftp A 222.222.222.1
mail A 222.222.222.3
MX mail.corp.net

The zone database on the internal zone would look like this:

corp.net
www CNAME webserver.corp.net
ftp CNAME ftpserver.corp.net
mail CNAME exchange.corp.net
exchange A 192.168.1.15
webserver A 192.168.1.16
ftpserver A 192.168.1.17


However it still means that I need to create CNAME entries in the
internal DNS. I would like to reduce the chances of errors if possible
to configure the internal DNS to automatically query the external DNS
if the record wasn't found ( if possible )

That only works if you create EACH of those External Entries
as an INDIVIDUAL zone AND do not have the actual zone
"corp.net" internally at all.

As long as you have the zone internally it is an all or nothing
deal.

This is the (main) disadvantage of using same name inside
as outside.

 

[ankit]

configuring a dns server at your end with new records and set it as a
forwarder to the primary dns server for the remaining records .will
that help?

 

[Herb Martin]

configuring a dns server at your end with new records and set it as a
forwarder to the primary dns server for the remaining records .will
that help?

No. A secondary (nor any DNS server) will never forward to a
Primary of the SAME zone. They are both authoritative.

The closest you can come to this are my two suggestions above:

1) Shadow DNS

2) Individual DNS ZONES for each separate 'record' that is to
be overridden internally

The latter only works if you are NOT using the zone name
internally for your resources (e.g., not using AD with the
same name.)