How to Configure Windows Server DNS to Resolve Specific Hostnames Using Hosts File for Internal Network Optimization


4 views

When managing a corporate network with both internal and external resources, DNS resolution often presents unique challenges. The scenario involves a Windows Server 2003 DNS server (172.16.0.12) serving an intranet domain (*.dev.nls) while forwarding external requests to public DNS servers. The specific pain point emerges when internal users need to access mail.nlscan.com, which currently resolves to the external IP (202.101.116.9) rather than the internal mail server (172.16.0.10).

Traditional approaches like creating a full nlscan.com zone aren't feasible because:

  • The public zone contains numerous records managed by the ISP
  • Maintaining zone synchronization would create administrative overhead
  • Any changes to the public zone would require internal DNS updates

The most elegant solution involves creating a subzone specifically for the mail server:

dnscmd /ZoneAdd mail.nlscan.com /Primary /file mail.nlscan.com.dns

Then create an A record in this zone:

dnscmd /RecordAdd mail.nlscan.com @ A 172.16.0.10

For those preferring not to create zones, conditional forwarding offers another option:

// PowerShell implementation
Add-DnsServerConditionalForwarderZone -Name "nlscan.com" -MasterServers 172.16.0.12
Set-DnsServerConditionalForwarderZone -Name "nlscan.com" -Forwarder 172.16.0.12

While modifying the hosts file on individual machines might seem tempting, this approach:

  • Doesn't scale for enterprise environments
  • Creates maintenance challenges
  • Breaks when laptops move between networks
  • Isn't recognized by Windows DNS server service

When implementing this solution, consider these technical details:

  1. TTL values should be set appropriately to balance caching and flexibility
  2. DNS security (DNSSEC) considerations if implemented
  3. Impact on existing DNS caching
  4. Monitoring for resolution failures

After implementation, verify with these commands:

nslookup mail.nlscan.com 172.16.0.12
Resolve-DnsName mail.nlscan.com -Server 172.16.0.12

Expected output should show the internal IP (172.16.0.10) when queried from internal network.

When dealing with internal network infrastructure, we often encounter situations where public DNS resolution creates inefficient routing paths. A classic example occurs with mail servers that need to be accessible both internally and externally, but where internal users shouldn't traverse the firewall unnecessarily.

The scenario presents these characteristics:

- Internal DNS server (172.16.0.12) handles intranet domains (*.dev.nls)

- Acts as forwarder for external domains (*.google.com)

- Mail server accessible via:

• Internal IP: 172.16.0.10

• Public IP: 202.101.116.9 (through firewall NAT)

While the Windows hosts file (located at %SystemRoot%\System32\drivers\etc\hosts) affects local name resolution, the Microsoft DNS service doesn't reference this file. The service maintains its own zone databases.

Here's how to properly implement the solution in Windows Server 2003 DNS:

# PowerShell snippet to create the zone (run on DNS server)
Add-DnsServerPrimaryZone -Name "mail.nlscan.com" -ZoneFile "mail.nlscan.com.dns"
Add-DnsServerResourceRecordA -Name "@" -ZoneName "mail.nlscan.com" -IPv4Address "172.16.0.10" -CreatePtr

For manual configuration via DNS Manager:

1. Open DNS Management Console

2. Right-click 'Forward Lookup Zones'

3. Select 'New Zone'

4. Choose 'Primary zone'

5. Enter "mail.nlscan.com" as zone name

6. Create a blank A record (leave name field empty) pointing to 172.16.0.10

This approach offers several advantages:

- Doesn't interfere with ISP's management of nlscan.com

- Only intercepts the specific mail hostname

- Maintains external resolution for other nlscan.com subdomains

- Provides consistent hostname regardless of network location

To test your configuration:

1. From an internal client, run nslookup mail.nlscan.com 172.16.0.12

2. Verify it returns 172.16.0.10

3. From an external client, verify it still returns 202.101.116.9

For more complex scenarios, consider conditional forwarding:

# Configure conditional forwarding for specific domains
$forwarder = '8.8.8.8','8.8.4.4' # Your ISP's DNS or public DNS
Add-DnsServerConditionalForwarderZone -Name "nlscan.com" -MasterServers $forwarder
Set-DnsServerConditionalForwarderZone -Name "mail.nlscan.com" -MasterServers 172.16.0.12

This method provides more granular control when dealing with multiple subdomains that require different resolution behavior.