Split DNS Not Working

I have been forced to create a split DNS config as my edge router does not support NAT reflection. However I cannot get the split DNS working correctly for client workstations.

internal domain mydomain.local
external domain mydomain.com

host mail.mydomain.com resolves externally and is port forwarded to mail.mydomain.local

internal clients need mail.mydomain.com to resolve to private IP of mail.mydomain.local

DHCP is setup to configure clients with only local DNS servers

on internal DNS(s) I have created forward lookup zone for mydomain.com and added A record for mail.mydomain.com with private IP
(I have also tried creating zone for mail.mydomain.com and creating blank A record with private IP of local host)

Internal DNS are configured to forward unresolved to google DNS

In both cases if I ping mail.mydomain.com from the DNS server it correctly resolves to the private IP address, if I ping from an workstation it resolves to public IP address rather than the private IP Address.

Yes - I have cleared cache on WS with ipconfig /flushdns, I have even cleared the DNS server chache

an nslookup of mail.mydomain.com on a WS returns the public IP as a nonauth response from the local DNS Server

This problem is plauging me at multiple sites, there must be something I am missing.

Help greatly appreciated.

TIA



It sounds like you have everything configured correctly. I would re-verify that caches are cleared as that would be the most likely explanation. How did you clear the cache on the DNS server?
With a zone for mydomain.com (and assuming you haven't created a "www" record in it), then if you query for www.mydomain.com from an internal machine it should result in a NXDOMAIN (record not found). Further assuming that you DO have a record for www.mydomain.com in your public DNS, if the previous sentence isn't true, then something is wrong with your DNS server and you should look at event logs, etc.

Beyond that I would look at network captures of DNS traffic (both at a workstation and DNS server) while performing a ping or nslookup to examine the traffic.



It sounds like you have everything configured correctly. I would re-verify that caches are cleared as that would be the most likely explanation. How did you clear the cache on the DNS server?
With a zone for mydomain.com (and assuming you haven't created a "www" record in it), then if you query for www.mydomain.com from an internal machine it should result in a NXDOMAIN (record not found). Further assuming that you DO have a record for www.mydomain.com in your public DNS, if the previous sentence isn't true, then something is wrong with your DNS server and you should look at event logs, etc.

Beyond that I would look at network captures of DNS traffic (both at a workstation and DNS server) while performing a ping or nslookup to examine the traffic.



I cleared the cache on the server by right clicking the "Cache" zone folder and selecting clear cache.

actually the www.mydomain.com does resolve correctly as the zone I created on the local DNS is for mail.mydomain.com with a blank A record pointing to the correct private IP. This is a trick I ran accross in another post to create the zone for the host rather than the TLD.

As I mentioned everything works perfectly from the DNS server itself, but local WS still resolving to public IP. Could it be that since the local DNS server is non-authoratitive its checking the forwarder?

I recent also checked security on the Zone and made sure AuthUsers and SELF had read access to the zone (they previously did not) but this does not seem to have made any difference

I tried logging into the DNS server with user cred to see if it was a perms issue, but non admin user account on DNS server also resolves as expected.

Thx



Yes, creating the zone with a blank record is a good trick when you just need to intercept queries for a single name.

Since the zone is on the server it should consider itself authoritative, and thus should not forward on any queries for that name. I don't see how the server could resolve the name correctly for itself, but workstations using it aren't.

The only explanation I can think of for a workstation resolving differently than the server, is that a piece of information has been missed, like:- the workstation isn't using the server
- a suffix has been appended

This is why I would gather network captures and make sure traffic is flowing as you think. Use nslookup and append a dot to the end of the FQDN to make sure no suffixes are being added automatically. And again, look at event logs.



I have reverified local DNS is only DNS server in ipconfig /all

Tried appending . to end of FQDN, no change

DNS suffix is mydomain.local

Checked event logs, nothing of note

I appreciate the help.

I do not have immediate facility for packet capture, but I may get desperate enough...

thx all



Share this

Related Posts

There was an error in this gadget