we have strange case going on @ our office , i'm not active directory (ad) expert.
we have internal zone in active directory delegate subdomain out aws private hosted zone in vpc (connected on vpn).
vpn connected, hosts in vpc pingable ad side.
aws not allow connect dns servers outside of vpn their suggestion host proxies forward dns queries aws dns server.
so have 2 boxes use iptables forward udp , tcp 53 our aws hosted dns servers.
from active directory side can confirm dns indeed being forwarded using nslookup:
nslookup <aws_domain> <dns_proxy_ip> server: <dns_proxy_ip> address: <dns_proxy_ip>#53 non-authoritative answer: name: <aws_domain> address: <correct_ip> we have added subdomain active directory delegated dns. cannot use conditional forwarding can't have active directory manage part of dns.
so... see extremely strange behavior.
i can query active directory dns , our aws domains not show up.
nslookup <aws_domain> <active_directory_ip> server: <active_directory_ip> address: <active_directory_ip>#53 ** server can't find <aws_domain>: nxdomain however, on any laptop connected ad can query aws dns servers...
nslookup <aws_domain> <dns_proxy_ip> server: <dns_proxy_ip> address: <dns_proxy_ip>#53 non-authoritative answer: name: <aws_domain> address: <correct_ip> and now... laptop (using regular ad name servers) can see correct response ad.
nslookup <aws_domain> <active_directory_ip> server: <active_directory_ip> address: <active_directory_ip>#53 non-authoritative answer: name: <aws_domain> address: <correct_ip> it's little disturbing 1 laptop (out of hundreds) can affect whole system.
what want done though have active directory forward out private hosted zone.
apologies long post. don't know how make craziness more succinct.
Comments
Post a Comment