Dynamic DNS updates over the Internet (AD-integrated zones)

Question

I want use Windows Server (AD-integrated, DNS Policies) for public DNS and use dynamic updates over the Internet, like BIND and other servers do. I'd like to use a subdomain first too to make sure it works before considering ditching my nameservers from Cloudflare. I'll use another Windows System to contact the remote servers where it should register itself and it's going to have to be behind NAT since I don't trust Windows to let it make outbound connections on its own without a firewall where it can whitelist itself.

Way back I had read it's the DHCP client what actually updates DNS. I won't be using DHCP, not from Windows Server at least. I won't be tunneling-in either, I don't even need communication between these hosts, beyond the necessary to update the client's machine record(s) with its most recent IP address. Another way things are found in AD is through DNS itself, but the records needed service discovery are never public.

So I'm trying to figure out if Windows can perform public dynamic updates at all because I don't quite understand how it would and the documentation doesn't specifically mention this. Not so far.

Among the last things I learned though, it was that Windows uses a slight twist on the same standard BIND uses for dynamic updates, RFC2136—something like "Kerberized TSIGs", so I'm optimistic it can be done. :)

Can it? How? Would the client need to be like a slave/secondary zone or something, a delegation maybe? Do I need to join the machine to the domain before moving it off it?

Alternatives are welcome too.

Answer 1

No, this isn't going to work. An active directory domain can only use domain DNS servers to answer name server queries about active directory. Public DNS servers would not have any knowledge of your windows active directory domain. Site to site needs to be LAN or VPN connection.

--please don't forget to upvote and Accept as answer if the reply is helpful--