Generaly speaking having a single DNS ain’t a good idea. Having a Domain Controller being only DNS server is worse. Installing a second DNS server on the same physical host was pointless, if ESXi goes down I have no way of resolving names anyway.

First idea was ROS watchdog to update DHCP options with it’s own address as DNS, but what would require an action on client side, plus I would not be able to resolve internal names since statics are not present in router.
So I followed a plan to add another host. I have RaspberryPi running but it’s using wireless network, it’s on the balcony and I wasn’t sure about the stability. Then I realized a Synology NAS running 24/7 has an official DNS Server package available. Bingo!

My DNS 3 zones I had to transfer to Synology server:

  • _msdcs.domain.com (FZ)
  • domain.com (FZ)
  • 0.0.10.in-addr.arpa (RZ)

I’ve added all 3 as slave zones to the Syno application pointing them at the primary DNS.

Note: reverse zone must be entered in reverse order manually even if you choose Reverse Zone as Domain Type. TSIG is omitted and source IP service is better to be set in global settings than per zone.

Then I’ve added NAS/DNS IP address as dedicated Zone Transfer server and secondary Name Server for each zone.

External test:

nslookup pudelek.pl 10.0.0.10
Server: dns02.domain.com
Address: 10.0.0.10
Non-authoritative answer:
Name: pudelek.pl
Addresses: 193.17.41.169

Internal test:

nslookup esx01-ilo 10.0.0.10
Server: dns02.domain.com
Address: 10.0.0.10
Name: esx01-ilo.domain.com
Address: 10.0.0.250

It works!

Things to remember:

  • _msdcs zone MUST NOT allow unsecure updates,
  • Transfer zones on secondary DNS server must be slave zones,
  • Enable BIND secondaries must be enabled on Windows Server DNS for above to work,
  • it’s a good idea to enable scavenging