2

I currently have set up my Windows DNS to forward to OpenDNS. However, all traffic in OpenDNS shows up from the IP of my local Windows DNS server. Is there any way I can make the individual devices look to the local DNS and if they don't find what they are looking for look at OpenDNS. This way - OpenDNS would see the devices themselves and not just the Windows DNS Server. Or is there a way to have a public DNS and a private DNS?

All of my devices do not share a single IP - but open DNS is seeing the dns requests coming from our local DNS server which is required for active directory.

Thanks in advance for your help!

dingerkingh
  • 123

1 Answers1

3

We occasionally get questions about how one can selectively look up DNS domains at the client level, but it's simply not the job of the client to do that. Resolver libraries are dumb by design and expect the upstream recursor to do the heavy lifting for them.

  • The only way to solve this problem at the client level is for the client itself to operate a DNS server (not necessarily a full one, dnsmasq and the like are common solutions in Unix space), and have the client use 127.0.0.1 for its DNS. This is rarely ever done on Windows servers.
  • The recursor (Windows DNS) is responsible for preventing leakage to the upstream forwarder (OpenDNS). If the request is for a FQDN managed by AD, that query should not hit OpenDNS. Short names (foo as opposed to foo.example.com) will leak if you have a search suffix defined on the client that is not a domain your AD infrastructure considers itself authoritative for.

If this answer does not satisfy you, please update your question to include the search domains used by the client and an example of a query that is leaking to OpenDNS.

Andrew B
  • 33,868