new DNS zone with Forward to external DNS

Would something like this work for you:

enter image description here


I hope I understood the question, but I'll include 2 scenarios just in case:

SCENARIO #1 - you want to forward unresolved requests externally

This is easy to do, you can either leave the default alone, which will forward unresolved DNS lookups to the root hint servers. Or you can go to the Forwarders tab inside Properties of your DNS server in the DNS admin tool. Set the appropriate external FQDN or IP address of the external DNS server you want responsible for forwarded lookups (for instance you could use your ISPs DNS server, or something like 8.8.8.8 which is Google's public DNS server).

SCENARIO #2 - you want to resolve names you own like mail.example.com locally

If you want to resolve names that exist normally externally to internal IP addresses, for instance your mail server that you host internally, then you can create authoritative DNS forward lookup zones for that domain name (example.com). Then add ALL of the A records required, such as MAIL, WWW, FTP, etc. and set their IPs to either their internal OR their external IP addressses (if they aren't hosted locally). You would need to include all the A records like WWW that you want internal users to be able to access via DNS FQDN, because once the local DNS server(s) become authoritative for that domain name it won't forward on unresolved hostnames externally at that point.


Maybe you could do something funky with Bind views, but not with Microsoft DNS. With Microsoft DNS, a server is either authoritative for a zone, or it is not. There is no "semi-authoritative."

You can set up a conditional forwarder for example.com to forward all queries for example.com to the specified name servers. You can set up a stub zone for example.com to forward all queries for example.com to the specified name servers. But not like what you're talking about. If you set up a Forward Lookup Zone for example.com on your internal DNS server, then your DNS will simply start returning NXDOMAIN for every query for *.example.com that isn't in your lookup zone.

My basic advice would be (assuming you own example.com) would be to name your internal Active Directory as a subdomain of example.com, such as corp.example.com for example. Then your internal clients should be configured to look for mail.corp.example.com when they want to use the internal mail server, and mail.example.com when they want to use the external mail server.