In a lab, I'm testing split-horizon (aka split-brain) DNS policies. The policies set on a DC/DNS server do not replicate to other DC/DNS servers.
Is it possible to make them replicate?
The lab has subnets 192.168.72.0 and 192.168.73.0, and two DCs running DNS. The two DCs have IP addresses 192.168.72.100 and 192.168.73.100.
I created an A record in DNS of host1 at 10.0.0.2
I followed this tutorial from Microsoft the DC with IP 192.168.72.100. The specific commands are pasted below:
Add-DnsServerZoneScope -ZoneName "deez.datz" -Name Scope73"
Add-DnsServerResourceRecord -ZoneName "deez.datz" -A -Name "host1" -IPv4Address "10.0.0.100" -ZoneScope "Scope73"
Add-DNsServerQueryResolutionPolicy -Name "Policy73" -Action ALLOW -ClientSubnet "eq,TGH-North" -ZoneScope "Scope73,1" -ZoneName "deez.datz"
Nslookup from a system in the 192.168.73.0 subnet:
nslookup host1 192.168.72.100
Name: host1.deez.datz
Address: 10.0.0.100
nslookup host1 192.168.73.100
Name: host1.deez.datz
Address: 10.0.0.2
The DNS Policy functions correctly on the first DC where the commands were run. The policy did not take effect on the second DC. The policy did not replicate.
I understand this is the default behavior for Microsoft DNS Policy.
Is it possible to force the DNS policy to replicate (and avoid running the commands on every single DC)?
From the documentation, it looks like this is not possible:
https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-sb-with-ad#high-availability-of-policies
The same applies to DNS zones which are not AD-integrated and use the standard primary/secondary model: https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/primary-secondary-geo-location.
In short: DNS policies are server-specific, you need to configure them on each DNS server in your environment.