Is it possible to make different dns records for different AD sites?

N

Nicholas Secret2019-10-22 19:29:25

Domain Name System

Nicholas Secret, 2019-10-22 19:29:25

A couple of offices in the same forest and services published on the Internet. Split dns is implemented, inside the network you go by local ip, outside by public, but the dns name on the clients, of course, is one thing. In one of the offices, a service was started up that needs access from another; service with tls and tls + ipsec will hurt. So it’s necessary that in one office the service be received by local ip, and in the other by public ip, the dns name cannot naturally be touched. DNS server for all ADDC devices.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

R

Rsa97, 2019-10-23
@Ncla

# Только на одном контроллере AD/DNS:
# Создаём зоны видимости (Scope)
Add-DnsServerZoneScope -ZoneName "my.local" -Name "Scope149"
Add-DnsServerZoneScope -ZoneName "my.local" -Name "Scope33"

# Создаём DNS-записи для каждой зоны
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "proxy" -IPv4Address 10.149.0.200 -ZoneScope "Scope149"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "proxy" -IPv4Address 10.33.0.200 -ZoneScope "Scope33"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "wsus" -IPv4Address 10.149.0.209 -ZoneScope "Scope149"
Add-DnsServerResourceRecord -ZoneName "my.local" -A -Name "wsus" -IPv4Address 10.33.0.201 -ZoneScope "Scope33"

# На каждом контроллере:
# Создаём подсети
Add-DnsServerClientSubnet -Name "Subnet149" -IPv4Subnet 10.149.0.0/16
Add-DnsServerClientSubnet -Name "Subnet33" -IPv4Subnet 10.33.0.0/16
Add-DnsServerClientSubnet -Name "SubnetTotal" -IPv4Subnet 10.0.0.0/8

# Создаём политики применения зон видимости для подсетей
Add-DnsServerQueryResolutionPolicy -Name "Policy149" -Action ALLOW -ClientSubnet "eq,Subnet149" -Condition AND -FQDN "eq,proxy.my.local,wsus.my.local" -ZoneScope "Scope149" -ZoneName "my.local"
Add-DnsServerQueryResolutionPolicy -Name "Policy33" -Action ALLOW -ClientSubnet "eq,Subnet33" -Condition AND -FQDN "eq,proxy.my.local,wsus.my.local" -ZoneScope "Scope33" -ZoneName "my.local"
Add-DnsServerQueryResolutionPolicy -Name "PolicyTotal" -Action ALLOW -ClientSubnet "eq,SubnetTotal" -ZoneScope "my.local" -ZoneName "my.local"

# Включаем политики
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "Policy149"
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "Policy33"
Enable-DnsServerPolicy -Level Zone -ZoneName "my.local" -Name "PolicyTotal"

# Разрешаем Split-Brain DNS
dnscmd /config /globalqueryblocklist isatap

V

Vadim, 2019-10-22
@dark_rain

1) Make 2 different names for the service with different ip. If the service itself cannot respond to 2 names, one of them can be sent through a reverse proxy.
2) Study dns policy if the axis is fresh. It seems that it can give different ip depending on the address of the dns client.
3) Create a separate, non-ad-integrated, non-replicated DNS zone (subdomain or other domain), create a record for the service in it.

I

iddqda, 2019-10-23
@iddqda

Split dns implemented, inside the network you go by local ip, outside by public

and continue from this place ...
from inside some other separate network you go on the third ip
from another separate network on the fourth, etc.
1st 2nd 3rd 4th ip arbitrary. may match. or even be not ip (but a record), but srv txt, etc.
, in short, split dns - not limited to 2 zones.
ps
will not be if tls is inside ipsec, and not vice versa.