Split DNS

Hi All,

I've a DNS puzzle to solve. I'll use an example domain, but in summary,
I need DNS to resolve an A record differently on one DNS server compared
to two others.

setup is:

domain: some.mydomain.com, defined as a forward lookup zone
There are 3 AD integrated DCs, all DNS servers, serv1 serv2 and serv3.
Sites: serv1 and serv2 are in Site-UK, and serv3 is in Site-USA

I need to set the A record of the domain itself (some.mydomain.com),
so that if the reply from serv1 and serv2 is given, it resolves to
192.168.1.1

but if the query is replied to from serv3, then I need it to give
192.168.2.1

This is because Site-USA has different IPSEC tunnels setup, and
therefore traffic should flow differently, and I'd like to control it
from DNS.

The only way I can see to do this myself at present, is to split
some.mydomain.com away from being AD-integrated, and define it as a
Primary/Secondary on serv1 and serv2, and then define it as another
primary on serv3.

Or is there another way?

Thanks,

Adrian

 

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:ecrrU4zGKHA.1988@TK2MSFTNGP03.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Hi All,
>
> I've a DNS puzzle to solve. I'll use an example domain, but in summary, I
> need DNS to resolve an A record differently on one DNS server compared to
> two others.
>
> setup is:
>
> domain: some.mydomain.com, defined as a forward lookup zone
> There are 3 AD integrated DCs, all DNS servers, serv1 serv2 and serv3.
> Sites: serv1 and serv2 are in Site-UK, and serv3 is in Site-USA
>
> I need to set the A record of the domain itself (some.mydomain.com),
> so that if the reply from serv1 and serv2 is given, it resolves to
> 192.168.1.1
>
> but if the query is replied to from serv3, then I need it to give
> 192.168.2.1
>
> This is because Site-USA has different IPSEC tunnels setup, and therefore
> traffic should flow differently, and I'd like to control it from DNS.
>
> The only way I can see to do this myself at present, is to split
> some.mydomain.com away from being AD-integrated, and define it as a
> Primary/Secondary on serv1 and serv2, and then define it as another
> primary on serv3.
>
> Or is there another way?
>
> Thanks,
>
> Adrian<!--colorc--><!--/colorc-->


Why do you want to do that? To control logon traffic or something? For logon
traffic control, implement Active Directory Sites.

However, if it is an internal website resource name you want to create with
different names, such as intranet.mydomain.com, simply create multiple
entries for it with different IPs. The client, with NetMask Ordering enabled
(default), will pick the IP with the subnet closer to it's own.

Otherwise, this is not possible with Windows DNS, and if it's a name related
to a DC, it will only cause major problems with AD if you were to implement
what you're suggesting.

Also, just as an FYI, there is a specific newsgroup for DNS questions:
microsoft.public.windows.server.dns.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
for regional support phone numbers.

 

Ace Fekay [MCT] wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
> message news:ecrrU4zGKHA.1988@TK2MSFTNGP03.phx.gbl...<!--coloro:green--><span style="color:green <!--/coloro-->
>> Hi All,
>>
>> I've a DNS puzzle to solve. I'll use an example domain, but in
>> summary, I need DNS to resolve an A record differently on one DNS
>> server compared to two others.
>>
>> setup is:
>>
>> domain: some.mydomain.com, defined as a forward lookup zone
>> There are 3 AD integrated DCs, all DNS servers, serv1 serv2 and serv3.
>> Sites: serv1 and serv2 are in Site-UK, and serv3 is in Site-USA
>>
>> I need to set the A record of the domain itself (some.mydomain.com),
>> so that if the reply from serv1 and serv2 is given, it resolves to
>> 192.168.1.1
>>
>> but if the query is replied to from serv3, then I need it to give
>> 192.168.2.1
>>
>> This is because Site-USA has different IPSEC tunnels setup, and
>> therefore traffic should flow differently, and I'd like to control it
>> from DNS.
>>
>> The only way I can see to do this myself at present, is to split
>> some.mydomain.com away from being AD-integrated, and define it as a
>> Primary/Secondary on serv1 and serv2, and then define it as another
>> primary on serv3.
>>
>> Or is there another way?
>>
>> Thanks,
>>
>> Adrian<!--colorc--><!--/colorc-->
>
>
> Why do you want to do that? To control logon traffic or something? For
> logon traffic control, implement Active Directory Sites.
>
> However, if it is an internal website resource name you want to create
> with different names, such as intranet.mydomain.com, simply create
> multiple entries for it with different IPs. The client, with NetMask
> Ordering enabled (default), will pick the IP with the subnet closer to
> it's own.
>
> Otherwise, this is not possible with Windows DNS, and if it's a name
> related to a DC, it will only cause major problems with AD if you were
> to implement what you're suggesting.
>
> Also, just as an FYI, there is a specific newsgroup for DNS questions:
> microsoft.public.windows.server.dns.
> <!--colorc--><!--/colorc-->

Hi Ace,

Its basically because of the IP layout. Its not AD or even PC-based
traffic, but back to my cisco phones again. They access the PBX via DNS
lookups. I can hack the config files of the phones used in Site-USA to
use static IPs instead of DNS names, but I'd rather keep phone configs
the same across the company (one config), and control it centrally via
DNS. Also if I work by direct IPs, then some fucntionality of those
phones would stop working.

Using DNS, the phones will work when placed anywhere in the world, but
it makes sense to keep intra-company traffic local within our IPSEC
tunnels. So in the UK, I'd need to resolve to a public IP (which is
actually still local for that network), but in the US, I'd like the
traffic to flow via IPSEC rather than head out over the public internet.
That all helps protect the VoIP traffic.

But that means that I need different resolution based on location.

I do make use of AD Sites, but are you saying these can somehow apply to
DNS too ?

My method of primary/secondary would work, but its not very clean to do
that.

Will re-post to the other group if I dont figure it out.

Thanks

Adrian

 

Adrian Marsh (NNTP) wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Ace Fekay [MCT] wrote:<!--coloro:green--><span style="color:green <!--/coloro-->
>> "Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
>> message news:ecrrU4zGKHA.1988@TK2MSFTNGP03.phx.gbl...<!--coloro:darkred--><span style="color:darkred <!--/coloro-->
>>> Hi All,
>>>
>>> I've a DNS puzzle to solve. I'll use an example domain, but in
>>> summary, I need DNS to resolve an A record differently on one DNS
>>> server compared to two others.
>>>
>>> setup is:
>>>
>>> domain: some.mydomain.com, defined as a forward lookup zone
>>> There are 3 AD integrated DCs, all DNS servers, serv1 serv2 and serv3.
>>> Sites: serv1 and serv2 are in Site-UK, and serv3 is in Site-USA
>>>
>>> I need to set the A record of the domain itself (some.mydomain.com),
>>> so that if the reply from serv1 and serv2 is given, it resolves to
>>> 192.168.1.1
>>>
>>> but if the query is replied to from serv3, then I need it to give
>>> 192.168.2.1
>>>
>>> This is because Site-USA has different IPSEC tunnels setup, and
>>> therefore traffic should flow differently, and I'd like to control it
>>> from DNS.
>>>
>>> The only way I can see to do this myself at present, is to split
>>> some.mydomain.com away from being AD-integrated, and define it as a
>>> Primary/Secondary on serv1 and serv2, and then define it as another
>>> primary on serv3.
>>>
>>> Or is there another way?
>>>
>>> Thanks,
>>>
>>> Adrian<!--colorc--><!--/colorc-->
>>
>>
>> Why do you want to do that? To control logon traffic or something? For
>> logon traffic control, implement Active Directory Sites.
>>
>> However, if it is an internal website resource name you want to
>> create with different names, such as intranet.mydomain.com, simply
>> create multiple entries for it with different IPs. The client, with
>> NetMask Ordering enabled (default), will pick the IP with the subnet
>> closer to it's own.
>>
>> Otherwise, this is not possible with Windows DNS, and if it's a name
>> related to a DC, it will only cause major problems with AD if you were
>> to implement what you're suggesting.
>>
>> Also, just as an FYI, there is a specific newsgroup for DNS questions:
>> microsoft.public.windows.server.dns.
>><!--colorc--><!--/colorc-->
>
> Hi Ace,
>
> Its basically because of the IP layout. Its not AD or even PC-based
> traffic, but back to my cisco phones again. They access the PBX via DNS
> lookups. I can hack the config files of the phones used in Site-USA to
> use static IPs instead of DNS names, but I'd rather keep phone configs
> the same across the company (one config), and control it centrally via
> DNS. Also if I work by direct IPs, then some fucntionality of those
> phones would stop working.
>
> Using DNS, the phones will work when placed anywhere in the world, but
> it makes sense to keep intra-company traffic local within our IPSEC
> tunnels. So in the UK, I'd need to resolve to a public IP (which is
> actually still local for that network), but in the US, I'd like the
> traffic to flow via IPSEC rather than head out over the public internet.
> That all helps protect the VoIP traffic.
>
> But that means that I need different resolution based on location.
>
> I do make use of AD Sites, but are you saying these can somehow apply to
> DNS too ?
>
> My method of primary/secondary would work, but its not very clean to do
> that.
>
> Will re-post to the other group if I dont figure it out.
>
> Thanks
>
> Adrian<!--colorc--><!--/colorc-->

Well my idea did work...
I created a Primary non-AD zone on Serv1, a secondary from that on
Serv2, and then another Primary on serv3. That way I get the result I
wanted, but its not very clean...

 

On 08/12/09 08:08, Adrian Marsh (NNTP) wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Its basically because of the IP layout. Its not AD or even PC-based
> traffic, but back to my cisco phones again. They access the PBX via DNS
> lookups. I can hack the config files of the phones used in Site-USA to
> use static IPs instead of DNS names, but I'd rather keep phone configs
> the same across the company (one config), and control it centrally via
> DNS. Also if I work by direct IPs, then some fucntionality of those
> phones would stop working.<!--colorc--><!--/colorc-->

First, are each of your sites in a different DNS (sub)domain? If they
are, I would try a simple service name with out a domain and let the
site configured search domain append and thus find the proper server.

I.e. point your client to "pbx" and let the site searchnames of
"site1.<domain>.<tld>" or "site2.<domain>.<tld>" or
"site3.<domain>.<tld>" be appended. Thus based on your search domains
you will ultimately be resolving "pbx.site1.<domain>.<tld>" or
"pbx.site2.<domain>.<tld>" or "pbx.site3.<domain>.<tld>". This will
allow you to very easily have the three different names resolve to where
ever you want them to for each site.
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> Using DNS, the phones will work when placed anywhere in the world, but
> it makes sense to keep intra-company traffic local within our IPSEC
> tunnels. So in the UK, I'd need to resolve to a public IP (which is
> actually still local for that network), but in the US, I'd like the
> traffic to flow via IPSEC rather than head out over the public internet.
> That all helps protect the VoIP traffic.<!--colorc--><!--/colorc-->

Hum. I would not think you would want your VoIP traffic to pass through
an IPSec tunnel for call quality reasons.
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> But that means that I need different resolution based on location.<!--colorc--><!--/colorc-->

*nod*
<!--coloro:blue--><span style="color:blue <!--/coloro-->
> I do make use of AD Sites, but are you saying these can somehow apply to
> DNS too ?<!--colorc--><!--/colorc-->

More the other way around. AD Sites (partially) rely on DNS to find
things specific to the site the client is in.



Grant. . . .

 

Grant Taylor wrote:<!--coloro:blue--><span style="color:blue <!--/coloro-->
> On 08/12/09 08:08, Adrian Marsh (NNTP) wrote:<!--coloro:green--><span style="color:green <!--/coloro-->
>> Its basically because of the IP layout. Its not AD or even PC-based
>> traffic, but back to my cisco phones again. They access the PBX via
>> DNS lookups. I can hack the config files of the phones used in
>> Site-USA to use static IPs instead of DNS names, but I'd rather keep
>> phone configs the same across the company (one config), and control it
>> centrally via DNS. Also if I work by direct IPs, then some
>> fucntionality of those phones would stop working.<!--colorc--><!--/colorc-->
>
> First, are each of your sites in a different DNS (sub)domain? If they
> are, I would try a simple service name with out a domain and let the
> site configured search domain append and thus find the proper server.
>
> I.e. point your client to "pbx" and let the site searchnames of
> "site1.<domain>.<tld>" or "site2.<domain>.<tld>" or
> "site3.<domain>.<tld>" be appended. Thus based on your search domains
> you will ultimately be resolving "pbx.site1.<domain>.<tld>" or
> "pbx.site2.<domain>.<tld>" or "pbx.site3.<domain>.<tld>". This will
> allow you to very easily have the three different names resolve to where
> ever you want them to for each site.
> <!--coloro:green--><span style="color:green <!--/coloro-->
>> Using DNS, the phones will work when placed anywhere in the world, but
>> it makes sense to keep intra-company traffic local within our IPSEC
>> tunnels. So in the UK, I'd need to resolve to a public IP (which is
>> actually still local for that network), but in the US, I'd like the
>> traffic to flow via IPSEC rather than head out over the public
>> internet. That all helps protect the VoIP traffic.<!--colorc--><!--/colorc-->
>
> Hum. I would not think you would want your VoIP traffic to pass through
> an IPSec tunnel for call quality reasons.
> <!--coloro:green--><span style="color:green <!--/coloro-->
>> But that means that I need different resolution based on location.<!--colorc--><!--/colorc-->
>
> *nod*
> <!--coloro:green--><span style="color:green <!--/coloro-->
>> I do make use of AD Sites, but are you saying these can somehow apply
>> to DNS too ?<!--colorc--><!--/colorc-->
>
> More the other way around. AD Sites (partially) rely on DNS to find
> things specific to the site the client is in.
>
>
>
> Grant. . . .<!--colorc--><!--/colorc-->

Hi Grant,

No its all one AD domain and all one DNS domain. I might break it up at
some point, but thats a load of work to do... and its a small number of
folks abroad.

My DNS setup would work, but Ive just thought of a problem. If my USA
primary DNS server fails, then the DHCP config is to use the UK as a
secondary, in which case the DNS for this host would lookup wrong...

So back to the drawing board...

 

"Adrian Marsh (NNTP)" <adrian.marsh@_removeme_ubiquisys.com> wrote in
message news:OKgLdB2GKHA.4004@TK2MSFTNGP05.phx.gbl...<!--coloro:blue--><span style="color:blue <!--/coloro-->
>
> Hi Grant,
>
> No its all one AD domain and all one DNS domain. I might break it up at
> some point, but thats a load of work to do... and its a small number of
> folks abroad.
>
> My DNS setup would work, but Ive just thought of a problem. If my USA
> primary DNS server fails, then the DHCP config is to use the UK as a
> secondary, in which case the DNS for this host would lookup wrong...
>
> So back to the drawing board...<!--colorc--><!--/colorc-->


It sounds like you'll need to use two DNS servers at that location and not
specify the UK DNS as the second entry. However, your idea is interesting,
despite the additional administrative overhead.

Cheers!

Ace