Windows – How to setup NS Record to External Name Server from Internal DNS

domain-name-systemwindows

We have the following scenario:

  1. Our company has an Internal DNS & an External DNS server.
  2. Both of them holds the same domain (example.com).
  3. Our Internal DNS is a Windows Server that cannot access the Internet, but has setup forwarders for "All others DNS" to the External DNS
  4. We need to setup a sub-domain (vendor.exmaple.com) to an Authoritative name server (ns1.vendor.com) from vendor and the vendor will provide the IP-address for this sub-domain.

  5. And, we have setup the following in our External DNS for Internet people who needs to access the name (vendor.example.com).

    vendor IN NS ns1.outsider.com

So that when Internet people queries the sub-domain

nslookup vendor.example.com

It returns with the corresponding IP-address defined in our vendor name server (ns1.vendor.com)

Now, we encountered the problem that:

If we apply the same setting into our Internal DNS server, we got "Server fails" when an internal staff uses 'nslookup' to query "vendor.example.com" when going through the Internal DNS.

If I use 'dig' with '+nssearch' to query from my PC to our Internal DNS,

C:\>dig +nssearch vendor.example.com
;; reply from unexpected source: <Our Proxy Server>#<Number>, expected <IP of ns1.vendor.com>#53
;; reply from unexpected source: <Our Proxy Server>#<Number>, expected <IP of ns1.vendor.com>#53
;; reply from unexpected source: <Our Proxy Server>#<Number>, expected <IP of ns1.vendor.com>#53

; <<>> DiG 9.9.5 <<>> +nssearch vendor.example.com
;; global options: +short +cmd
;; connection timed out; no servers could be reached

We expected that when the request goes to our Internal DNS, it will forward the request to our External DNS and get the IP-address from the vendor name server. Then, respond to the PC inside our company network.

Could anyone tell me what's wrong on this? And, how we can this correctly?

Best Answer

In my understanding you can try several things:

  1. Create a CNAME Entry vendor.example.com on internalDNS holding the information externaldns.example.com. On externaldns.example.com you configured the NS Entry(s) holding the Server responsible for that zone. When a computer queries internalDNS it delegates the resolution of the DN to externalDNS. This server delegates it over to server.vendor.com which holds the actual information.
  2. Configure all Computers (with help of a GPO) that have access to the internet in that way, that their DNS queries will directly go to externaldns.example.com. So you don't need any entry on internalDNS.

The Second possibility is only applicable if the internal Computers are not able to access the internet. If this is not the case, you should rethink your Network architecture and the reason why you have two seperate nameservers (this is not clear out of your description).

Related Topic