I came across a customer site Windows DNS server that has it's external domain in a forward lookup zone on the AD server. There are some A and CNAME records here that we really don't want to be public. I'm wondering if we can configure DNS to point upstream to their SOA if it doesn't have an answer to a query for this domain, say searching for autodiscover.domain.com.
The upstream is a BIND DNS controlled by a web hosting company. I don't want to transfer zones and overwrite the static entries here, just reach out upstream if we don't know.
Is this possible? what's the mechanism? It's not really a split-DNS. I modified the SOA record but it doesn't do a recursive query upstream if it doesn't know.
Thanks,
The DNS server is authoritative for the zone. Any queries for the zone records will be answered by the server. If no record matches the query then the server will respond with an NXDOMAIN. Windows DNS won't forward the query to an upstream server.
What you can do is to create a zone for each of the records and create an "apex" A record in the zone for the ip address that each of those records should resolve to. This will make the server authoritative for only those "subdomains" and the server will forward all queries for the parent domain to the external DNS servers.
So... you'd create a zone named
www.domain.comand then you'd create an "apex" A record in the zone with the ip address thatwww.domain.comshould resolve to. Rinse and repeat for the other records.The simplest thing to do is just manually copy everything from the hosting company DNS to AD DNS. If you rarely make changes to the hosting company DNS, this is the least headache approach.
The root cause of this problem is that the AD domain matches the public domain. The correct way to fix this is to set up AD as a subdomain. With greenfield implementations, this is easy. Migrating an existing AD to a subdomain is difficult.
See Active Directory Split-Zone vs SubDomain Domain Name