Discussions

Ask a Question
Back to All

Multiple AD Domain Forwarders

Yesterday I posted that I had figured out how to do this, and I did. But now I have a few more interesting use cases.

The site that I am working on right now has 2 different local active directory domains with no trusts or links between them. They both need AD DNS for local domain resolution only.

Both domains run off the same firewall but seperate physical ports and switches. Right now I have DNS conditional forwarding across both networks to allow roaming clients. But only for 53/UDP to the DNS server applicable to the domain the client is on.

What I'm trying to do is set a listener on all interfaces to listen and send all non-local domain traffic to controld and forward local dns traffic to the applicable domain controller or dns server.

It's working, but only for "upstream.1". I cannot get requests to go to "upstream.2" right now. In nslookup, I am getting request timeouts.

Here's my config:


[listener]
  [listener.0]
    ip = '0.0.0.0'
    port = 5354

    [listener.0.policy]
      name = 'My Policy'
      rules = [
        {		 '*.ad.domain1.org' = ['upstream.1']},
		{		 '*.ad.domain2.com' = ['upstream.2']}
      ]

[network]
  [network.0]
    name = 'Network 0'
    cidrs = ['0.0.0.0/0']

[upstream]
  [upstream.0]
    type = 'doh'
    endpoint = 'https://dns.controld.com/xxxxx'
    timeout = 5000
	
  [upstream.1]
    name = 'AD DNS Domain 1'
    type = 'legacy'
    endpoint = '10.1.1.2:53'
    timeout = 5000

  [upstream.2]
    name = 'AD DNS Domain 2'
    type = 'legacy'
    endpoint = '192.168.1.2:53'
    timeout = 5000

Like I said, ad.domain1 and the corresponding upstream.1 work fine. But things start breaking down for ad.domain2 and upstream.2

I've checked firewall policies and have explicit allows in place at least for 53/udp across the networks so I don't think it's a block. My best guess is that it's either the firewall not wanting to route properly or it's an issue with my config. I'm leaning towards a controld config issue in the above.