I currently have a domain that I will call example.com that is linked to Cloudflare’s DNS from the registrar.
I am running my own DNS server that I want to be able to respond on the behalf of the domain when Cloudflare’s records return nothing.
The records on this server will be related to a local active directory for the most part and needs to be accessible to the local DNS server (Running on windows server)
Thus I have created 2 records in Cloudflare’s DNS for this purpose:
A servername example.com <ip of publicly available dns server as tested with dnschecker.org with a custom name server added> {DNS Only}
NS example.comservername.example.com {DNS Only}
I am not sure what I am doing wrong, and any help would be greatly appreciated.
Cloudflare acts as an authoritative nameserver. If there isn’t an answer it’s not going to refer a resolver elsewhere for the same zone. You can create nameserver records for a subdomain is you wish to delegate the answer elsewhere for that zone.
Sounds like you are running split brain DNS. You should ensure any records that need to be externally resolvable exist in Cloudflare’s DNS and similarly any records which need to be resolvable from your internal DNS that exist only in Cloudflare’s DNS should be copied to your internal DNS servers.
Effectively yes it will break Cloudflare in that Cloudflare will see the nameservers are not correctly configured and mark them as moved. Additionally if the servers have different information, visitors will get different answers depending on the DNS server they happen to hit.
If you are on an Enterprise plan you could use your existing DNS servers as a hidden primary and replicate records to Cloudflare if you have that feature in the contract.
There are a number of community forum topics on split brain / split horizon DNS configs. I uh, may have answered 90% of them at some point or another. I’d start with those to get a better picture of the challenges and options.
Internally your users are going to use your internal DNS server. In an ideal world you don’t overlap your AD DNS zone with your external domain name but… it happens and when it does uh… it can be fun to manage at best.
Do you think it would be better if I just enforced Remote Access so that users would be routed into my internal network, and therefor get the internal records?