Share via

Put me out of my misery! Restrict DNS lookup info based on site

Preston Cole 6 Reputation points
2020-08-05T19:53:19.363+00:00

HI all

I have a flat Windows domain domain.corp
The domain has 4 sites.
In each site I have DCs, and file servers. I am using DFS and namespaces.

The 4 sites relate to 4 physical offices, 192.168.250.0/24, 192.168.150.0/25, 192.168.50.0/24, and 192.168.10.0/24.
There are 2 site to site VPNs for satelite offices come from 192.168.125.0/24 and 192.168.126.0/24
All sites communicate over VPNs.
I don;t manage the firewalls.
All sites can talk to each other. The 2 site to site VPNs for satelite offices can only reach the first 2 sites.
I have mobile users that use VPN clients on their machines. I can have them connect to 1 or more of the sites by creating a VPN for each, but really only want a connection to their local site. (We have HK, UK, NY locations)
The client VPNs only talk to the site they connect into.
The client VPNs are configured with the inside DNS servers, and that works fine.
The client VPNs get IP addresses unique to the site they're connecting into, so for example, I connect into the site 192.168.250.0/24 and I get IP address 172.30.108.0/24. Site 192.168.150.0/24 would give me 172.30.100.0/24 etc etc. These subnets have all been added to the AD Sites, and DFS namespaces have been configured to not refer to servers outside of their site.

OK, all of this works pretty well, but not with the namespaces.

Let's say I creat a VPN from a mobile user into the site with LAN 192.168.250.0/24. I get 172.20.108.10 as my IP address. Cool.
Most of the time I can't connect to \domain.corp\namespace
Now, when I NSLOOKUP domain.corp, I get the round robin response with all of the IP addresses of all of the DNS servers around the 4 sites, just like I do when I'm inside the LAN.
My question is, can I make DNS respond to a quesry for domain.corp with JUST the DNS servers that are in that site, and so make the \domain.corp\namespace work?

Does that make sense?

Head spinning!

Windows 2008, 2012, 2016 and 2019.
DFS only on 2019

Thanks in advance

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,312 questions
Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,035 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Candy Luo 12,686 Reputation points Microsoft Vendor
    2020-08-06T02:45:16.007+00:00

    Hi ,

    You might concern to use DNS policy for Geo-Location Based Traffic Management with Primary Servers. As the picture below:

    15927-image.png

    In this way, you can allow primary and secondary DNS servers to respond to DNS client queries based on the geographical location of both the client and the resource to which the client is attempting to connect, providing the client with the IP address of the closest resource.

    For more details about DNS Policy for Geo-Location, please refer to the following link:

    https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/primary-secondary-geo-location

    https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview

    ---Please Accept as answer if the reply is helpful---

    Best Regards,

    Candy

    0 comments