none
CNAME in local AD\DNS to external domain (googleapis.com) RRS feed

  • Question

  • We're trying to setup a VPN from our on-prem network to a GCP (Google Cloud Platform) project for API calls. The GCP tutorial (https://cloud.google.com/solutions/setting-up-private-access-to-cloud-apis-through-vpn-tunnels) says that we need to create CNAME entries for

    storage.googleapis.com -> restricted.googleapis.com; and
    www.googleapis.com -> private.googleapis.com
    

    but the tutorial uses BIND, and I'm wondering how to accomplish the same in AD\DNS (2012R2).

    I've read what I can find (mostly from pre-2014), and most talk about creating a forward lookup zone, but that would make the local DNS authoritative and mess up any other lookups, no? Has anyone accomplished this or something similar that could offer some insight?

    Much appreciated.

    Wednesday, June 17, 2020 3:32 PM

All replies

  • Hi,

    You can use split-brain DNS deployments, where there are two versions of a single zone - one for the internal users on your organization intranet, and one for the external users, who are typically users on the Internet.

    This is the official document for reference:

    https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/split-brain-dns-deployment

    Hope this will do some help for you.

    BR

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 18, 2020 2:57 AM
  • Thank you for the response.  I'd read this technique, but the primary DNS server is 2012R2, which doesn't support DNS policies/zone scopes.  Isn't that a necessity for split-brain? 

    And wouldn't split-brain affect lookups for all internal users, for the entire zone?  As I understand it, I would need to re-create all hosts in the googleapis.com zone on the internal side, and manually update them if they change on the outside.  

    Ideally, we want just the two CNAME records [for storage. and www.] on the inside, with all other queries to the googleapis.com (for however many other hosts are in the zone) passed to the authoritative servers on the outside. Or am I completely misunderstanding how split-brain works?  

    Thanks

    Thursday, June 18, 2020 3:46 PM
  • Hi,

    Based on my research, there is no requirement for DNS policies/zone of deploying split-brain DNS. Or how about just add the two CNAME records to the computers' host file?

    It's indeed that all records in the Internet-facing DNS server zone are created manually. When a query to the Internet-facing DNS server comes in from the Internet requesting a resolution on any domain-level resource, such as an SRV record, the Internet-facing DNS server rejects the query because it does not have any of the SRV records—these are only stored in the domain ADI DNS servers. Because it considers itself authoritative for the zone, the Internet-facing DNS server does not make an iterative query to the ADI DNS servers. 

    To further enhance security, you can set a firewall rule on the inside firewall, that is, the firewall between the internal and perimeter networks, to reject all DNS (UDP port 53) queries from the perimeter to the internal network, while still allowing DNS replies. 

    Best Regards,

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 19, 2020 5:52 AM
  • Hi ,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.                   

    Best Regards,

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 23, 2020 1:35 AM
  • Maybe I'm missing something, but in the document that you linked to, every step is related to creating zone-scope policies, which, again, are not available in 2012R2. 

    Regardless, this split-brain DNS technique would break all other lookups to other hosts in the googleapis.com domain, unless we manually re-create [and keep updated] any other records from the external/authoritative side.  And distributing a custom hosts file would not be a viable option either, as there are several hundred endpoints, both domain-joined and not.

    It sounds like this is just not possible with microsoft's DNS implementation, and I'll likely be looking to somehow forward to an internal BIND instance for these two CNAMEs, which seems ridiculous. 

    Thanks anyway, but we can probably forget this topic.

    Tuesday, June 23, 2020 3:27 PM
  • Hi,

    Sorry for the trouble and not helping you. If you have other questions, please post on this forum. 
    We would try our best to help you.

    Best Regards,
    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 24, 2020 1:35 AM
  • Hi,
     
    Just want to confirm the current situations.
    Please feel free to let us know if you need further assistance.
     
    Best Regards,
    Cherry



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 29, 2020 1:31 AM
  • Hi,

    As this thread has been quiet for a while, we will propose it as ‘Answered’ as the information provided should be helpful.
    If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    Best regards,
    Cherry

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 30, 2020 1:28 AM