Agreed, I don't see any way to create any other records in a Windows stub zone beyond those it's intended to hold.
Best bet is to use a more flexible DNS proxy (even dnsmasq will do) to selectively mangle *some* records for the zone without being authoritative. From there you have a variety of ways to "fix" the problem... either transparently forward all UDP 53 through the proxy via your L3 router, use conditional forwarders to the mangling proxy from the DCs just for those zones, etc., etc... --Steve On Fri, Feb 10, 2012 at 12:47 PM, Brian Desmond <br...@briandesmond.com>wrote: > *I don’t know if you can define non glue/NS/SOA records in a stub. * > > * * > > *Thanks,* > > *Brian Desmond* > > *br...@briandesmond.com* > > * * > > *w – 312.625.1438 | c – 312.731.3132* > > * * > > *From:* Andrew S. Baker [mailto:asbz...@gmail.com] > *Sent:* Friday, February 10, 2012 11:17 AM > > *To:* NT System Admin Issues > *Subject:* Re: DNS Partial zone CNAMEs?**** > > ** ** > > What about using a Stub zone?**** > > ** ** > > I agree that it is annoying, though. > **** > > *ASB***** > > *http://XeeMe.com/AndrewBaker***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > > > **** > > On Fri, Feb 10, 2012 at 11:51 AM, Brian Desmond <br...@briandesmond.com> > wrote:**** > > *No it won’t forward unless you have all the records. I don’t see how > this is scalable. ***** > > * ***** > > *Thanks,***** > > *Brian Desmond***** > > *br...@briandesmond.com***** > > * ***** > > *w – 312.625.1438 | c – 312.731.3132***** > > * ***** > > *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org] > *Sent:* Friday, February 10, 2012 9:45 AM > *To:* NT System Admin Issues > *Subject:* DNS Partial zone CNAMEs?**** > > **** > > Long story made somewhat short: We enforce safe search on google images > with our filter. If a clever student hits https://www.google.com and > searches for Excalibur Films images the safe search enforcement fails and > they are going to get more than they should. And since I now know this, I > will go to jail and my wife will be sad.**** > > **** > > So I need to do the below from Google:**** > > **** > > To utilize this solution, your school’s network administrator would modify > your DNS (Domain Name System) configuration to make Google domains, e.g. > www.google.com to be an alias or CNAME (canonical name) of > nossl.google.com. When we see search requests arriving over the nossl end > point we will redirect these to a non-SSL search session. HTTP traffic and > other services will not be affected.**** > > **** > > I am a bit puzzled on how to do this. If I toss up a zone for google.comand > put up a > www.google.com CNAME nossl.google.com What happens when someone tries > to hit mail.google.com? My zone lookup will fail…will my DNS server then > hit my forwarders for mail.google.com **** > > ** > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
