External DNS on CF and internal on Windows DNS

Hi CF Team & Community,

I have a question regarding the use of DNS. I have all my domains on Cloudflare.
I have a .com Domain which has DNS entries on cloudflare and one subdomain that points to a specific IP.

Is there a way to have that DNS entry as well on my local DNS server (for my internal net) and how would I accomplish that? The IP will then be ofc a internal one.

Besides my internal domain, I tried to add the “external” domain as Foward Lookup Zone, and left it empty except for that one sub-domain. However all external DNS queries to the other dns entries on the .com domain failed and access to the external apps failed because of that.

I tried Google but I’m not quite sure how this is called, split-dns via policies I believe only works between two MS DNS Servers afaik.

Can you please guide me? Thanks!

Assuming you have a “normal” setup, the Forward Lookup Zones should include the DNS zones that you want your Windows DNS to be authoritative for. Everything else should be sent to the configured forwarders, or to the DNS root name servers.

When using a Split brain DNS and your public, Cloudflare hosted websites are in the same domain as your DNS server is authoritative for, the internal DNS can use a CNAME like this (replacing subdomain.example.com on both sides to suit your domain name):

subdomain.example.com IN CNAME subdomain.example.com.cdn.cloudflare.net

This will resolve correctly, and follow :orange: and :grey: for the subdomain. For the root (example.com), you need to configure A records that point to whatever IP addresses your root domain is currently using in Cloudflare, as you cannot have a CNAME at the root of the zone.

Thanks for the reply. Which I did not understand 100%, sorry.

Yes everything else currently uses forwarders (Windows DNS forwards to a Debian Box running PiHole and doing DoH to the Cloudflare and DNS).

Currently my setup is like this:

Internal DNS Domain (which is AD domain as well): example.net
External DNS Domain (which hosts sites which are external accesible) example.com

Currently only the example.net Domain is setup as Forward Lookup Zone in Windows DNS.
The example.com Domain is only managed on Cloudflare.

Now my question is:

Assuming I have sub-01.example.com on CF pointing to (which is an external IP address)
How can I set the same record up in Windows DNS so that it points to a local IP instead?

Do I really have to create the example.com forward lookup zone and manually add each DNS records from CF on there as well? My goal is to have the external DNS records managed on CF and only specific DNS records managed local for that example.com domain.

Does this make things clearer?





This question is not really related to Cloudflare. You want to override certain DNS records for your internal DNS clients, and it could just as easily be www.google.com. You can create a Windows DNS forward lookup zone for sub-01.example.com, and create a new A record in that zone with no name, and give it the IP you want the internal users to use. Alternatively, on PiHole add the entry to /etc/pihole/custom.list


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.