Forwarding requests made to Windows DNS server for a domain it’s authoritative for but doesn’t have a record matching the request, onto BIND

binddomain-name-systemdynamic-dnswindows-dns

Is it possible on a Windows DNS server to have it forward/proxy requests for a domain it's authoritative for but doesn't have a record matching the request.. onto another server like a BIND server ?

Most records for this domain are managed by Windows and BIND will have a smaller number of records that are dynamically registered/updated/deleted with nsupdate from Linux servers. This is for private cloud testing project we're doing and i want them to be able to easy register/update their info in DNS via nsupdate.

Thanks
fLo

Best Answer

You could do this with delegation. It's easier if all the remote records are under a single sub-domain, like let's say you have cloud.domain.com and your BIND server has a zone matching that.

In Windows DNS, create a sub-domain (right click the zone, click New Domain...), call it cloud. That looks like a sub-folder.

Within there, create NS records that point to your BIND server.

All queries for that sub-domain should then go to that DNS server.

If the records are all going to be direct descendants of domain.com, then you do the same thing, it's just more tedious because you have to keep creating sub-domains for each individual record.

See Understanding Zone Delegation for a nice diagram and more information.

Related Solutions

CNAME Records and DNS Recursion – Must Authoritative DNS Allow Recursion?

No you don't need to have recursion on for authoritative DNS servers. Depending on who you ask it's even considered good practice that (if possible) your authoritative server not be recursive as it's a line of defence against some DoS attacks. (Cisco's document is here for example)

A sample from my domain is below (Server is running Bind 9 and is non-recursive).

; <<>> DiG 9.5.1-P3 <<>> mail.<snip> @<my authoritative master>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1216
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;mail.<snip>.       IN  A

;; ANSWER SECTION:
mail.<snip>.        86400   IN  CNAME   ghs.google.com.
ghs.google.com.     158151  IN  CNAME   ghs.l.google.com.
ghs.l.google.com.   33    IN  A       74.125.47.121

;; AUTHORITY SECTION:
google.com.     153556  IN  NS  ns4.google.com.
google.com.     153556  IN  NS  ns2.google.com.
google.com.     153556  IN  NS  ns3.google.com.
google.com.     153556  IN  NS  ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.     169823  IN  A   216.239.32.10
ns2.google.com.     169823  IN  A   216.239.34.10
ns3.google.com.     169823  IN  A   216.239.36.10
ns4.google.com.     169823  IN  A   216.239.38.10

It sounds more like a DNS misconfiguration at the Windows 2003 DNS than anything else.

Delegate part of a zone to another server

It sounds like you have home.mydomain.tld as a public zone and you want to create internal records for PC.home.mydomain.tld, TV.home.mydomain.tld, refrigerator.home.mydomain.tld, etc.?

About the only un-nasty way I can think of to do this without stepping on the home.mydomain.tld domain would be to create x.home.mydomain.tld and put everything under that zone, which is served by your local nameserver.

You COULD create an individual zone for each of PC, TV, refrigerator, etc. above and have your local nameserver only be authoritative for those individual bits, but that means a huge number of one-entry zone files (YUCK!).

Also note that any local zones you create would step on and override any outside DNS server's zones: It's not possible to have the A record for pc.home.mydomain.tld come from one NS and the AAAA record for it come from another: DNS delegates and declares authority by zone name, and that authority is for all record types within that zone.
If a nameserver is told it is authoritative for something and can't find the record it will not forward the query up the DNS tree, it will simply return NXDOMAIN.

Best Answer

Related Solutions

CNAME Records and DNS Recursion – Must Authoritative DNS Allow Recursion?

Delegate part of a zone to another server

Related Topic