How to use external DNS Forwarders when Forward Lookup Zone doesn’t contain requested subdomain

domain-name-systemsubdomainwindows-server-2008-r2

Using Windows 2008 R2 DNS:

We have a Forward Lookup Zone:

somerealdomain.com

us-wil    |    A    |    10.10.0.1
us-chi    |    A    |    10.10.0.2
us-day    |    A    |    10.10.0.3
us-sea    |    A    |    10.10.0.4
us-sf     |    A    |    10.10.0.5
us-ny     |    A    |    10.10.0.6
give      |    A    |    10.10.0.7
me        |    A    |    10.10.0.8
test      |    A    |    10.10.0.9

If I do an NSLookup for any of those, they obviously get pointed correctly to the internal IP.

Now, if I want any non-existant subdomain to resolve using external DNS as provided by our Forwarders 8.8.8.8, 8.8.4.4 etc. how can I accomplish that? Say, I want to resolve get.somerealdomain.com which is not included in the Forward Lookup Zone, but is resolvable on Public DNS Servers?

I need this so if someone searches a subdomain we haven't included in our Forward Lookup Zone, it will go out the a public DNS server and resolve. I assumed this would happen by default as it does with any other domain we have not written records for, but because we have the somrealdomain.com as a Forward Lookup Zone, any subdomain which does not have a record written just dies instead of asking external DNS. Why? How can I resolve this?

Best Answer

DNS requires that there be only one instance of a given zone (the zone can be served by multiple authoritative servers, but only one instance of the zone is allowed). You simply cannot get a DNS server to first query a local forward zone (i.e. locally defined, be it a master or slave zone) and then query another DNS server if it does not find a matching entry. You are effectively overriding the very definition of the somerealdomain.com on your local server (so as far as it is concerned, the public version of that zone does not exist).

There are a number of workarounds possible. If you have access to the public zone file (directly or by zone transfer), then a suitable script could backfill your local zone with the public entries which are not overridden locally. This is not trivial and requires some in-depth knowledge.

An alternative would be to place a filtering DNS proxy in front of your DNS server - the kind of DNS proxy used for penetration testing which can be configured to forward queries to different DNS servers based on the query's contents (or fake answers directly - which is effectively what you are doing).

Finally, you could use a DNS cache such as dnsmasq (same principle as a filtering DNS proxy) - see this answer for details.

Related Topic