Answer the question
In order to leave comments, you need to log in
How to configure specific root A-nodes for different regions in domain dns?
By default, in DNS, where dns is installed on domain controllers, the ip of all domain controllers on which DNS is installed is registered in the root A-nodes to resolve the domain name (ping domain.ru).
How to configure certain root A-nodes (top-level folders) in dns so that domain resolution is only allowed by certain DCs at regional sites and is not accidentally resolved by dns-s of domain controllers that are not available at the network level?
Answer the question
In order to leave comments, you need to log in
It is possible to configure Split-Brain DNS and issue only records related to it in each zone.
# Только на одном контроллере AD/DNS:
# Создаём зоны видимости (Scope)
Add-DnsServerZoneScope -ZoneName "my.local" -Name "Scope149"
Add-DnsServerZoneScope -ZoneName "my.local" -Name "Scope33"
# Создаём DNS-записи для каждой зоны
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "proxy" -IPv4Address 10.149.0.200 -ZoneScope "Scope149"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "proxy" -IPv4Address 10.33.0.200 -ZoneScope "Scope33"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "wsus" -IPv4Address 10.149.0.209 -ZoneScope "Scope149"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "wsus" -IPv4Address 10.33.0.201 -ZoneScope "Scope33"
# На каждом контроллере:
# Создаём подсети
Add-DnsServerClientSubnet -Name "Subnet149" -IPv4Subnet 10.149.0.0/16
Add-DnsServerClientSubnet -Name "Subnet33" -IPv4Subnet 10.33.0.0/16
Add-DnsServerClientSubnet -Name "SubnetTotal" -IPv4Subnet 10.0.0.0/8
# Создаём политики применения зон видимости для подсетей
Add-DnsServerQueryResolutionPolicy -Name "Policy149" -Action ALLOW -ClientSubnet "eq,Subnet149" -Condition AND -FQDN "eq,proxy.my.local,wsus.my.local" -ZoneScope "Scope149" -ZoneName "my.local"
Add-DnsServerQueryResolutionPolicy -Name "Policy33" -Action ALLOW -ClientSubnet "eq,Subnet33" -Condition AND -FQDN "eq,proxy.my.local,wsus.my.local" -ZoneScope "Scope33" -ZoneName "my.local"
Add-DnsServerQueryResolutionPolicy -Name "PolicyTotal" -Action ALLOW -ClientSubnet "eq,SubnetTotal" -ZoneScope "my.local" -ZoneName "my.local"
# Включаем политики
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "Policy149"
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "Policy33"
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "PolicyTotal"
# Разрешаем Split-Brain DNS
dnscmd /config /globalqueryblocklist isatap
IMHO option one - to include netmask ordering.
The Microsoft DNS server does not have the ability to issue different answers from the zone according to different criteria (for example, depending on the ip of the requester).
I met such possibility only in bind - it is called views.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question