Hello,

Our primary domain is "primarydomain.com".

In one DMZ - at a remote location - we have "demodomain.com" for test and demo purposes which is accessible from the internet.

On the servers in the demodomain.com domain (separate AD for that zone) we are running a few test and demo services that are accessed from the outside as "demo-x.primarydomain.com". When someone accesses it, the server gathers data from other services in other public locations (HQ Production zone, Azure etc) AND from services in the same DMZ as demodomain.com. So, what is the problem?

We've set up all services to reply to the demo-x.primarydomain.com, which means that using the external DNS to resolve names works fine as long as they are not located in the demodomain.com dmz zone. In this zone the primarydomain.com does not exist, which again means services fail to resolve the internal address of the servers in the same zone when we use the primarydomain.com address. I could of course add the primarydomain.com DNS zone to the local DNS server, but then I'd have to manually make any changes on the public adresses in primarydomain.com.

So to the question: Is it possible to set up a DNS zone with a few records the DNS replies to, and forwards all other requests it can't answer to the external DNS server? Example:

zone primarydomain.com (in demodomain.com DMZ)
demo-1.primarydomain.com 10.0.0.x
demo-2.primarydomain.com 10.0.0.y
demo-4.primarydomain.com 10.0.0.z

DMZ server (demodomain.com) asks for adresses:

demo-1.primarydomain.com -> found in local DNS, sending back 10.0.0.x adress.
demo-2.primarydomain.com -> found in local DNS, sending back 10.0.0.y adress.
demo-3.primarydomain.com -> not found in local DNS - forwarding to external DNS server.
demo-4.primarydomain.com -> found in local DNS, sending back 10.0.0.z adress.

So far we've been using hosts-files, but that is not a very brilliant way to do it.
1 Comment   [ + ] Show Comment

Comments

  • we up a vpn connection which connects to the real domain when we are in our dmz location. this then allows that session to access the inside dns without compromising security.
Please log in to comment

There are no answers at this time

Answers

Answer this question or Comment on this question for clarity