How can I make my AD DNS server resolve requests for an internet DNS record to an internal IP address for internal clients?

I have the following situation:

A web server that lives in our company intranet has an address in a private range. Certain license restrictions prevent us from changing the private address. Port 443 is made public using port-forwarding over a public address on our gateway. So far so good.

Externally, we use a hosted Linux server with Bind9 as the authoritative name server for the mycorp.com domain. This server resolves our web server FQDN to the external, public address, so:

superwebsite.mycorp.com -> 209.85.148.103 (apologies to google)

Internally, we use a Windows 2003 Active Directory server as a DNS server. This server is authoritative for our intranet domain and resolves the internal FQDN of our server to the private address, so:

superwebsite.mycorp.localdomain -> 192.168.1.25

We have recently purchased a commercial SSL certificate for superwebsite.mycorp.com, so we need our internal AD Server to resolve the public FQDN to the private address, so:

superwebsite.mycorp.com -> 192.168.1.25

We also would like to serve Subversion repositories from this server, so it is important that the external URL be the same as the internal, otherwise developers will have trouble with their workspaces...

How can I tell Active Directory to resolve this one specific FQDN to the private address? Obviously I can't create the zone superwebsite.mycorp.com inside the intranet: this would cause the AD DNS server to consider itself authoritative and ignore the real authoritative server outside of the intranet.


Solution 1:

I can't create the zone superwebsite.mycorp.com inside the intranet: this would cause the AD DNS server to consider itself authoritative and ignore the real authoritative server outside of the intranet.

You can, and that's the only way you're going to get what you want. I've had similar setups in the past, and as dirty as doing this will make you feel, I've never had issues doing it.

The key is to create a zone whose name matches the FQDN, superwebsite.mycorp.com, not for mycorp.com as a whole. Then create a new A record in the zone with the relevant IP.

The only time this will present a problem is:

  • When the IP changes, you must remember to update it internally.
  • If you ever use 4th level names, i.e. something.superwebsite.mycorp.com, you also need to maintain these both in the Internet DNS and the internal DNS.

Solution 2:

You actually can create a record in a zone without having that zone defined in your DNS server; the key is treating that record like a lower-level zone:

  • Create a zone in your internal DNS called "superwebsite.mycorp.com".
  • Create an empty "A" record in it, pointing to your server's internal IP address.

The empty record will match the zone it's in, so it will match queries for "superwebsite.mycorp.com"; your DNS server will treat it as a zone, but it will actually behave like a standard A record.