07-17-2018 02:33 PM
Background: We have 6 IB appliances running DNS for our enterprise. 2 of them are defined as external and 4 are internal, but all are technically available on publicly routable IP addresses. We control queries and recursion at the member level. A huge number of our hosts are publicly routable as well, I would say it's close to 50/50. This is bad, and a legacy issue we're struggling to correct.
Up until now we have run everything in the default view, and all our zones and records resolve the same everywhere. This has not been an issue until our MS folks started rolling out Skype for Business and we need records in a sub-domain to resolve differently outside the enterprise than inside.
Is it possible to create a DNS view for subdomain X.example.com that holds different records in it than the default, and set an ACE that denies from RFC1918 and our public subnet, and have it answer requests from the wider internet without having to copy the entire root of example.com into both views?
I tried creating a view and changing the order of views so that our external servers placed External view before Default, and vice versa on the internal 4 members, but all that did was result in resolution failures to records in the root domain from outside clients as soon as TTLs were reached. Forwarders didn't solve the problem, though I would not be surprised if I missed something simple.
My guess is I need to have the entire zone in both views, but that's a fairly massive undertaking and given the other weird legacy issues I am leery of causing more problems than I fix.
TLDR; can I create a sub-domain in a view and have it respond to outside requests without placing the entire root domain in both views, or blocking resolution for other records in the domain from either view?
07-17-2018 03:00 PM
Possible, yes... Recommended, NO! Talk to your SE about this, it adds complication to your design and depending on the existing design it may not work for all cases -- do all the internal NS's have all the zones, etc. This is exactly the kind of thing Pro Serv can help with. If it were me, I'd create a new view for the External stuff can csv export/import the desired data. Then use Shared Record Groups where you need the same info in both copies of the zone.
Now if you really want to do the thing as you proposed:
What you would want to do is create the view with the internal only records and nothing else. And that subdomain can't exist in your external / default view. Order them as you described.. In the "internal" view you will make it recursive and forward-only to 127.0.0.1. Make sure to exclude the local IPs for the appliance and the 127.0.0.1 from matching the "internal" view. This should match your external view so for any query not in that one subdomain (that doesn't have a delegation incidentally) it forwards to your old view and "does the right thing."
I again caution you about doing this, it will cause problems at 2am when you or a co-worker gets a call about DNS and you have to troubleshoot. Unwinding this kind of thing should be done with Pro Serv help. So again, talk to your SE! If you don't know who your SE is, we can help you find that out.
07-17-2018 03:10 PM
Thanks! I know it's a bad idea, I am still tasked with proving exactly how bad it is. Your answer makes the mud clear.
I'll talk to some folks about talking to ProServ folks.
07-30-2018 11:34 AM
I don't know if you have gotten this resolved yet, but you also might be able to do some tricks with DTC. But that is an extra license.