Score:0

Can windows DNS server be configured to return a fully qualified DNS alias?

mr flag

Problem

We have a 3rd party web app installed on a windows server. There is an alias DNS record setup so that user can type in to a web browser the app name i.e. "testapp" and get the site. This works well in Chrome browser but does not work as well with Edge Chromium browser. Edge Chromium does not see the web app as a local server so does not trust it to send domain credentials. In Edge browser users are forced to login each time they use the web app whilst if you use Chrome you are auto logged in. In Edge if you use the fully qualified domain name (FQDN) for the alias such as "testapp.exampledomain.com" Edge browser see's this as a local network server, trusts it, sends the credentials and auto logs the users in. This behaviour was not seen in previous version of Edge.

Desired outcome

Is there a way to configure windows DNS so that when users type in "testapp" it returns the value "testapp.exampledomain.com" for the user?

Other factors

  • We have tried editing the web app web server (it is 3rd part and was using Apache tomcat ) to redirect queries to FQDN address if not from FQDN address however this is not supported by the vendor and lead to other issues where users had to reload the page after opening website.
  • Edge chromium browser configuration is managed centrally using group policy and cannot be changed as it will affect other apps.
  • Edge chromium is the only supported browser by the organisation with chrome no longer being installed on new computers so we can no longer recommend user use chrome.
  • Vendor supports Edge chromium but says this issue is a problem with our network configuration and will not help any more.
Score:1
cn flag

Is there a way to configure windows DNS so that when users type in "testapp" it returns the value "testapp.exampledomain.com" for the user?

No, as this is not a Server-Side setting.

Searching for a name in different DNS zones is a Client-Side "DNS Suffix search" decision. Plain hostnames are never sent to the DNS, so DNS can't do anything about that. Imaging a host "first" and a DNS that has host "first" in it's zone example.com and example2.com - which one should be returned? (The argument "there is just one zone" doesn't count on the internet these days).

You will have to provide a DNS Suffix search list on your clients (which your AD admins will hate you for) or -preferably- just use the FQDN like on any other website. This would make the use of TLS possible, enable the Zone-Model correctly, has no problems with double hostnames ...

Score:0
es flag

I was thinking your problem might be internet zones, and trusted sites when I found this article explaining the changes in browser behaviour - Security Zones in Edge

Your machines are already resolving DNS correctly.

I agree the correct solution was the URL re-write, and would suggest some further pressure on your app vendor or, other than that re-educating your users to use the fully qualified address and / or pushing out updated bookmarks or links to assist them.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.