07-13-2022 07:45 AM
We are planning out a project for making our Infoblox Appliances our Front End DNS Servers for our Microsoft (mostly) Domain Environment. Our plan is to continue to store the DNS Zones in Active Directory.
One of the questions that has come up is we have 3 Domains in a single forest: Domain.net, Sub1.domain.net and Sub2.domain.net. We are trying to get an understanding, what is the best approach for the Sub Domains. In MS-DNS, these zones have been created in the Root (Domain.net) Zone as Delegated Zones (DNS Requests are forwarded to the Domain Controllers of that particular Domain). However, if all clients are being pointed to Infoblox, I am thinking it makes more sense for these to be Sub-zones within the Root Zone as there really isn't any where to forward the request to if the Zone is also hosted on Infoblox. Does any one have experience with this or any suggestions?
08-14-2022 10:11 PM
From your description i can say that you are going to use zone transfer from AD to Infoblox. From the question you have 3 domains which are:
- domain.net (as the root)
- sub1.domain.net (configured as delegation)
- sub2.domain.net (configured as delegation)
If we look into the zone file for the subzone it should be
sub1.domain.net. IN NS anotherdomaincontroller1.domain.net.
sub2.domain.net. IN NS anotherdomaincontroller2.domain.net.
anotherdomaincontroller1.domain.net. IN A 10.10.10.1
anotherdomaincontroller2.domain.net. IN A 10.10.10.2
In zone transfer this record will be included in xfr (zone transfer). It means that infoblox will receive the copy of entire domain.net zones include with the delegation NS record.
so when the client tries to query a domain sub1.domain.net then infoblox will forward the query 10.10.10.1 and also with sub2.domain.net will forward to 10.10.10.2
One thing you need to make sure in infoblox when you configure the zone is the "Don't use forwarders to resolve queries in subzones" settings is checked. If this zone is not checked then the query will be forwarded to the global forwarder instead of the delegated NS ip.