05-27-2021 06:30 AM
I have a pair of InfoBloxes doing internal and external DNS. There is only one view at present, but I want to start doing split DNS, so I need a second. The particular cause is that we want to use Azure App Proxy, and Microsoft say you should not connect to the proxy for internal access to the back-end servers, so you have to make the site name refer to the proxy when external and to the back-end when internal.
We have about 40 zones, and I only want to have different contents in one of them, so I'd like to use forwarding to the same server for the rest. I plan to add an "internal" view with one zone file and do forwarding to the default for the rest. However, the InfoBloxes are also secondary servers for a few sub-zones delegated to our Windows DCs (one forward and some reverse), so I can protect them from the Internet. The Windows DCs are DNS servers for most of our desktops, and they forward queries for zones that they aren't primary for to the InfoBloxes. So this is my problem:
- The Windows DCs need to get the internal view versions of data in the the zone that we are going to vary between internal and default view, so they can pass that on to their clients.
- So I need to add their addresses to the internal view match list.
- But if they notify the InfoBloxes about updates to the delegated Windows zones, those notifications will come into the internal view, whereas the zones are actually defined in the default view.
- Even if I defined the secondary zones in both views, only the default view's copy would get updated through notifications. The internal view would have to wait for the refresh time, which will probably be more noticeable than it would be for default (i.e. external) clients.
Am I doing this the wrong way? Am I missing something? I did wonder about adding extra IPs to the InfoBloxes and using one for forwarding from the Windows DCs and the other as the secondary server addresses for the delegated zones, but that seems awfully complicated