DNS routing issues when the DNS server is connected to 2 networks

By GreyIT ·
I have a DC in charge of 2 networks,
network A ( and
network B (

Network A has Gateway A (
Network B has Gateway B (

The DC runs a DNS which resolves all IPs for our workstations. The DNS links up to OpenDNS.

We are a school, so network A is our administration net, and network B is our student net. The student network is filtered by OpenDNS, the admin net is unfiltered.

DNS requests from workstations in network A should be routed by the server to gateway A, requests from workstations in network B should go to gateway B. If they do not, OpenDNS will not properly filter.

Currently, the DNS server routes all requests through gateway A, regardless of whether the request came from network A or B.
Network A is unfiltered at OpenDNS, so they return correct results which then get sent to workstations in network B, who can then surf unfiltered.

How can I force the DNS server to route the requests based on what network the request came from?
Since the DNS listens on 2 IP addresses, one in each network, I assume it is possible somehow to send the requests back to the gateways of their respective networks.

I have tried setting static default routes for each network to their respective gateway, but that does not seem to do the trick.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

How about a proxy?

by oldbaritone In reply to DNS routing issues when t ...

I've kicked around several ideas, but each seems to have shortcomings.

I have a SOHO network, and the grown-ups access the internet directly, and the kids go through a proxy server to reach the internet. Routings, time restrictions, and what-have-you are all rules in the proxy. The internet router is set up with both IP and MAC address filters to block direct access by the kids.

For that matter, it can all be done in a proxy server. Allow only the proxy to access the internet, and send everyone through the proxy. Have different rule sets based on IP address. Either way would work.

And a separate proxy server wouldn't impact performance of the file server.

Collapse -

you can't force DNS to route anything, DNS doesn't route

by CG IT In reply to DNS routing issues when t ...

it only resolves queries and if it can't forward them to root hint servers or forwarder servers you specify. That forwarding isn't routing.

Routing is done by a router. So it is to that which you have to configure.

If you don't have a router, you can install Routing and Remote Access on a windows server and set the RRAS server to route only [not remote access]. However, to do that, you would need to install a 3rd network card which becomes the WAN link interface to which the routing fuctions use.

Simpler method is to just configure your router to do the work.

Added note: once you setup the server as a router, all traffic will be routed out the server. That can cause performance problems with the server because it not has to allocated resources such as processor time, memory to the routing fuctions.

Collapse -

Silly question -

by oldbaritone In reply to DNS routing issues when t ...

What sort of sites would be appropriate for "a school" to access that would not be reachable with the OpenDNS lookup?

Check out their "Block-Page Bypass" feature.
It may accomplish what you want.

Collapse -


by GreyIT In reply to DNS routing issues when t ...

Nono, I don't want the DNS system to route the workstations, I want it to forward its own DNS requests to the NIC from which the request came; in other words, requests from network A need to go back via NIC A to gateway A, requests from network B need to go back to NIC B to gateway B.
After which the workstations can go fetch the site on their own via their gateway.

Right now, OpenDNS thinks that all requests from network B come from network A, because the DNS contacts openDNS via network A, regardless from which network the request originated.

I am using RRAS to route each NIC to its appropriate gateway, but the DNS seems to ignore that and just routes any requests via network A, even if that request came from a workstation on network B.

About a proxy: we are going to be setting up a proxy, probably ISA. But somebody leaked the idea of access-blocking to the teachers, and now nobody (not even the principal) wants to wait until we can get the hardware and software set up. They want a result NOW, and I can't think of anything but OpenDNS to patch the hole.

The RRAS idea you mentioned is faulty since the server does not act as gateway. The networks have their own gateways, the server just serves up DNS replies. Only it goes to contact its own DNS server via network A always, even if it was queried by a workstation in network B; it should send DNS queries from network B to the internet via network B.

The misunderstanding about forwarding: well, maybe I used the wrong term; I do mean the forwarding of its own DNS queries, not the routing of the actual fetching of the site. The server is not a gateway.

Collapse -

block page bypass

by GreyIT In reply to replies

Their block page bypass feature is apparently only in the deluxe (as addon) and the enterprise packaging.
I am not able to clear 600$/year for 120+ computers (5$/user/yr rate) for the deluxe package.
This is a school, **** will freeze over before I can do that, it's hard enough getting money for the network antivirus ("aren't there free AVs around, cause I have one at home" is the most common response there)
Let's not even the "bypass included" enterprise package, which starts at 2000$/yr :-)

Collapse -


by oldbaritone In reply to block page bypass

so they "want it NOW" and don't want to spend any money?

Switch to OpenDNS right NOW for everyone. If it creates an uproar, tell them "I'll have the proxy up in a week (or two, or whatever) and then we will have tiered access. This is all that can be done NOW, unless you can approve $600 for Block Page Bypass."

From the sound of it, I'll bet they'll grumble and wait, for free. But maybe you'll get a pleasant surprise and they'll cough up a few bucks.

Good luck.

Collapse -


by GreyIT In reply to Hmmm....

Well, I can get them to spend the required 100$-something for an ISA license (educational discount), the 130$-something for the 2003 license will be pushing it, and those prices are not yearly, but one-time.

So as you suggested, I just started filtering both subnet at maximum. I reckon I can always patch a hostfile if something ultra-urgent comes up.

Money wise however, it's not our people that have the problem, it's that schools have to get approval for big expenditures from "above", and "above" doesn't care for anything but their bureaucracy.
Not in the budget in November = forget about it.
And even then they sliced my budget in half 2 days before it was due because they "forgot to tell us about the cuts"; so I fear no money will be forthcoming, as those with the cash will not be affected by the blocks :-)

Collapse -


by JPElectron In reply to block page bypass

DNS Redirector allows for password bypass (even integrate Active Directory login) to bypass the block

Collapse -

basic networking stuff...

by CG IT In reply to replies

I think if you sat down and thought about how packets are handled, then you would know why DNS queries that originate from one subnet and are sent to another subnet are not sent back to the originating subnet if they can't be answered by the DNS server.

Routers do 1 of 3 things. Route packets to destinations it knows [local network] send packets to the default gateway or a static route it knows, or drop packets.

Routers don't return packets to it's originating source. If it doesn't know what to do with it, it drops the packet.

DNS queries that are can not be resolved by the local DNS server, are forwarded to root hint servers. Those packets are sent to next hop router because the server has that listed in it's network card configuration. Because that router has a next hop router and DNS servers listed in it's configuration [WAN link configuration], packets are forwarded to that. So on and so forth until the destination is reached.

Collapse -

One server

by oldbaritone In reply to basic networking stuff...

I thought they're all getting sent back, it's just that he wants a different DNS result based on which subnet the request originates from.

He said they have one DNS server listening on 2 IP subnets. I believe the issue is how to get different DNS results from the same DNS server, depending on subnet. DNS doesn't usually work that way. Name-to-IP, but not Name-to-'well,that depends on who you are'.

Related Discussions

Related Forums