Issues resolving DNS entries for multi-homed servers
Posted
by I.T. Support
on Server Fault
See other posts from Server Fault
or by I.T. Support
Published on 2010-03-08T23:43:43Z
Indexed on
2010/03/08
23:51 UTC
Read the original article
Hit count: 571
This is difficult to explain, so bear with me.
We have 2 domain controllers, each multi-homed to straddle 2 internal subnets, (subnet A and subnet B) and provide dns, dhcp, and ldap authentication.
Both domain controllers each have 2 DNS entries. both entries have identical host names, but correspond to subnet A & subnet B respectively (example entries shown):
dc1 host 192.168.8.1
dc1 host 192.168.9.1
dc2 host 192.168.8.2
dc2 host 192.168.9.2
We also have a 3rd subnet for our dmz, (subnet C) which neither domain controller has an IP address on, but our firewall/routing tables provide access to subnet A from subnet C and vice versa, but don't allow access to subnet B from subnet C.
Here's my issue. How can I force/determine which dns entry is used when a server on subnet C queries either domain controller by host name? Right now it seems to randomly pick one of the two entries, swaps out the name for the IP address and that's that.
The problem is if it randomly selects the entry that corresponds to the 9.x subnet B (no access from subnet C), then the server fails to resolve. If it picks the entry for the 8.x subnet A then it resolves (firewall/routing tables defined for communication between these 2 subnets)
Here's what I'd like to know:
- What are Best Practices (if any) for dealing with DNS resolution on subnets that the DNS servers don't have a presence on?
- Can I control something akin to a metric value to force an order of DNS resolution when there are multiple entries for the same host name that correspond to different IP subnets?
- Should I even have 2 DNS HOST entries for the same name?
Here's what I'd like to avoid:
- Making edits to the HOSTS files of servers on subnet C to force DNS resolution of the hostname to the appropriate subnet
- Adding NIC's to the DC's to have them straddle the DMZ as well, thus obtaining a third DNS entry that corresponds to subnet C
Again, my apologies if this was too verbose / unclear.
Thanks!
© Server Fault or respective owner