We had a security incident recently where we needed to rebuild the network. For the time being we are just putting things back the way they were until we have more time to come up with a better go forward plan.
We have many locations that do not have their own server infrastructure on site and use our main location for DNS. These remote sites are located in that same site per ADSaS. The VPN tunnels at these sites can only see our main location. We have other sites with Domain Controllers in them that the remote sites do not need to see.
When we go to a machine at set its DNS server and do lookups to our domain the query result is returning all our Domain Controllers in our organization. This includes servers it cannot see. After several passes of ipconfig /release and ipconfig /renew it finds the correct Domain Controllers and we can move forward.
I turned on DNS Client logging on these machines and I can results like this...
Query response for name ourdomain.net, type 1, interface index 0 and network index 0 returned 0 with results 10.20.13.1;10.20.20.50;10.20.40.51;10.20.68.2;10.20.66.2;10.20.66.51;
and what happens is that the order of the results shifts after each release renew.
When I look at NS for our sites it looks correct. I am trying to keep the information lean as I do not know what would be useful to include and being too verbose will put off some people.
Why are the DNS clients being offered Domain Controllers IPs that exist outside their site? Those are all valid Domain Controllers but not for all PCs. Some of those are relative to their own sites.
This is how DNS works. DNS is not site aware - specifically not AD Site aware.
Now, if so configured, the DNS servers can be made to be subnet aware using netmask ordering. If memory serves this option is enabled by default. Also by default netmask ordering is based upon a Class C (/24) subnet. However, even with netmask ordering enabled, if none of the IP addresses for the A records exactly match the /24 subnet, of the requesting client, all valid A records will be returned. You will also note (with round robin enabled) that these responses will rotate with each successive query (independent of the requesting DNS client).
It should be noted that netmask ordering doesn't actually take into account the subnet mask of the client, it simply checks the first three octets of the requester's IP and if it matches wwith the first three octects of any of the responses, those responses will be returned at the top of the list.The command to change the netmask sensivity from the default (/24) to another subnet is as follows (example details setting a /16 subnet mask):
--
What I believe you're trying to accomplish can be done by using DNS Policies; these require DNS to be running on Windows Server 2016 or newer. You can define client subnets and then by creating a DNS Server Query Resolution Policy, you can dictate which A records will be used when queries originate from the specified subnets.