none
AD DNS puzzle - addt'l zone with internal split-brain & external dynamic(DDNS) updates RRS feed

  • Question

  • After recently implementing AD when there was none before in a small company, the ENG'g dept is pushing hard to have a newly added secondary DNS zone(not primary AD zone) for split-brain A-Record entries that also receive updates from the our external DNS zone-file for any DDNS IP's that get updated externally.

    90% of this secondary zone do have valid internal A-record entries for internal IP's, but occasionally the other 10% need to find their way to an external IP that gets updated occasionally to a different IP.

    They see the benefit of the split-brain DNS routing, but when one of the 10% external IP's get's updated it breaks internally since it then requires a manual update to the internal A-record.

    Hairpin-NAT seems(?) to work just fine, so I'm inclined to just to rip out the secondary zone altogether and let the external zone-file do all the lifting, but they seem to want to get the internal split-brain secondary zone working.

    Is this feasible and even if it is, would it be secure ?

    thx in advance


    thx, ~~Robb




    • Edited by pitarobb Friday, July 12, 2019 3:30 AM
    Friday, July 12, 2019 2:54 AM

All replies

  • Hi,

    We don't have much experience about Hairpin-NAT.

    I would suggest you post it in Ubiquiti Community for better answer.

    https://community.ui.com/  

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, July 12, 2019 6:37 AM
    Moderator
  • Ubiquiti ???   ...not related to my issue here


    thx, ~~Robb

    Friday, July 12, 2019 2:31 PM
  • Hi,

    Sorry, I mean the technical support of Hairpin-NAT.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 15, 2019 7:49 AM
    Moderator
  • "hairpin-NAT" is a generic term not associated with any specific company nor is it my issue, but rather my workaround until i can figure out the solution to the DDNS updates

    thx, ~~Robb

    Monday, July 15, 2019 1:00 PM
  • Hi,

    I am trying to involve someone familiar with this topic to further look at this issue. 

    If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. 

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, July 17, 2019 5:59 AM
    Moderator