none
Policy-based DNS? RRS feed

  • Question

  • Hi,

    I'm doing a research on how to best implement split DNS in our mixed environment of server 2012 R2 and 2016. To give you a brief background. We've just gone through a merger and are working on integrating a lot of systems, and one of the projects is to migrate DNS from one domain to another.

    A lot of these DNS zones are split DNS where they exist on both internal and external network (hosted by third party vendor). I've run into a scenario where some parts of business units do not have access to internal servers, but they are on AD and using internal DNS for resolution. The messy work around I've had to quickly implement was to find a record that the users were trying to access and point the IP from internal to external.

    I'm reading up this new policy-based DNS which is available in Windows 2016 and I'm wondering if this will be provide the answer to my problem. This is what I'm trying to set up:

    1. DNS request for internal users who have access to internal servers resolves to internal IP

    2. DNS request for internal users who do not have access to internal servers resolves to external IP

    We've got a mixture of 2012 R2 and 2016 DC but the main DNS servers are currently on 2012 R2.

    Would policy-based DNS solve my challenge, if so can you provide some articles/links for this please?

    Thanks in advance.

     

    Thursday, March 28, 2019 6:12 AM

All replies

  • Hi,

    According to your scenario, I would suggest you deploy Split-Brain DNS by using DNS policy.

    Please refer to the link below:

    https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/split-brain-dns-deployment 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 29, 2019 1:58 AM
    Moderator
  • Thanks for your reply. The problem with the setup you suggested is that we do not and cannot have a NIC that's facing externally. So, we're limited to just 1 internal facing NIC. Any other suggestions?
    Friday, March 29, 2019 1:29 PM
  • Hi,

    I am afraid that there is no better way.

    Because the DNS server can not distinguish between user accounts. 

    I've run into a scenario where some parts of business units do not have access to internal servers, but they are on AD and using internal DNS for resolution.  

    I would suggest you configure a DNS server for these computer, which only have external records.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 1, 2019 6:05 AM
    Moderator
  • So, how would I go on about doing this if these domains are AD-integrated?

    Does this mean that I would have to disable AD-integrated for a zone and ensure this zone is setup each DNS server? Obviously management will be a pain in the neck as multiple servers will need to be updated if an entry needs changing.


    Tuesday, April 2, 2019 5:18 AM
  • Hi,

     DNS request for internal users who do not have access to internal servers resolves to external IP

    I mean that configure the new DNS server address as the primary DNS on these users' computers.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 4, 2019 7:13 AM
    Moderator