Systems Management Question

DNS - pointing a few hosts to a certain adress only in one zone

01/23/2015 1398 views

Our primary domain is "primarydomain.com".

In one DMZ - at a remote location - we have "demodomain.com" for test and demo purposes which is accessible from the internet.

On the servers in the demodomain.com domain (separate AD for that zone) we are running a few test and demo services that are accessed from the outside as "demo-x.primarydomain.com". When someone accesses it, the server gathers data from other services in other public locations (HQ Production zone, Azure etc) AND from services in the same DMZ as demodomain.com. So, what is the problem?

We've set up all services to reply to the demo-x.primarydomain.com, which means that using the external DNS to resolve names works fine as long as they are not located in the demodomain.com dmz zone. In this zone the primarydomain.com does not exist, which again means services fail to resolve the internal address of the servers in the same zone when we use the primarydomain.com address. I could of course add the primarydomain.com DNS zone to the local DNS server, but then I'd have to manually make any changes on the public adresses in primarydomain.com.

So to the question: Is it possible to set up a DNS zone with a few records the DNS replies to, and forwards all other requests it can't answer to the external DNS server? Example:

zone primarydomain.com (in demodomain.com DMZ)
demo-1.primarydomain.com 10.0.0.x
demo-2.primarydomain.com 10.0.0.y
demo-4.primarydomain.com 10.0.0.z

DMZ server (demodomain.com) asks for adresses:

demo-1.primarydomain.com -> found in local DNS, sending back 10.0.0.x adress.
demo-2.primarydomain.com -> found in local DNS, sending back 10.0.0.y adress.
demo-3.primarydomain.com -> not found in local DNS - forwarding to external DNS server.
demo-4.primarydomain.com -> found in local DNS, sending back 10.0.0.z adress.

So far we've been using hosts-files, but that is not a very brilliant way to do it.
1 Comment   [ + ] Show comment


  • we up a vpn connection which connects to the real domain when we are in our dmz location. this then allows that session to access the inside dns without compromising security.

Be the first to answer this question

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ