Home / server / Questions

Questions[split-dns](server)

Martin Hope
Mario Jost
Asked: 2020-09-30 06:54:38 +0800 CST
  • 3

We have a split brain DNS scenario in our company where we have the same entries pointing towards different IPs.

Example1:
Internal DNS: email.company.net (A) 172.20.1.1
External DNS: email.company.net (A) 22.191.72.18

So email is just one of the few entries that we have to 'split'. We do have alot of other DNS entries in our public DNS zone, that need to remain the same in the internal zone as well. Lets have a look at another example:

Example2:
Internal DNS: video.company.net (A) -not present-
External DNS: video.company.net (A) 22.191.72.49

So when i want to access videoportal.company.net from inside the company, the DNS server reports that it has not found a DNS entry for that query. In order for it to work, i'd have to recreate all the external DNS entries on the internal DNS zone as well and maintain all those records over the time as well. This causes alot of duplicate work. What i'd like to do is following:

Create a zone with some entries in it and assign it a policy that says: "resolve what you can find in there, but forward anything you cannot find to your resolvers/root hints"

Is there something like this that can be done with policies? How is such a functionality even called?

I know that i can create a zone with email.company.net and a empty A record inside. This forwards any somethingelse.company.net record still externally. The reason i ask is much more complicated and i wanted to ask a question as short as possible. So just assume that this solution does not apply here right now. I would appreciate if you could concentrate on the question above.

Edit: So in the end, the internal DNS server should do something like this:

  • DNS server gets request from client for email.company.net
  • DNS server does a lookup in his internal zone company.net
  • DNS server gives back IP 172.20.1.1 to the client
  • DNS server gets request from client for video.company.net
  • DNS server does a lookup in his internal zone company.net
  • DNS server does not find an entry for video.company.net
  • DNS server then does a recursive lookup via his root hints
  • DNS server ultimately gets the answer and gives back IP 22.191.72.49 to the client
domain-name-system windows-server-2019 dns-zone split-dns
Martin Hope
Moduspwnens
Asked: 2011-10-27 20:14:19 +0800 CST
  • 3

We have split DNS set up for our domain, which causes internal clients to resolve different DNS records from external clients.

As it is right now, the two zones are managed completely separately. For records that differ between internal and external, it's no problem, but for everything else, all of the records have to be duplicated in both places. Most CNAME records, MX records, SPF records, and some A records all need to be entered and maintained in both places.

While this isn't inherently unacceptable, data duplication like this is less than ideal from a design perspective. I feel like ideally, the internal nameserver would simply forward results from the external nameserver, but allow for us to override or add additional records. While it looks like I could use a designated forwarder (like dnsmasq) to do something like this, the flat file configuration would make it difficult to sell the idea to the rest of the team.

Aside from that, the best solution I've been able to come up with consists of PowerDNS with a MySQL backend and web interface. This makes it fairly easy to add a zone and root A record for each sub-domain we'd like to override (e.g. www.example.com), which means other records on the root domain (e.g. example.com) will still be forwarded from the external nameserver.

That still seems like I'm straying kind of far from the norm for something that's supposedly very common, right? Is there a cleaner way to manage Split DNS without maintaining duplicate records? Or is there something I'm missing?

domain-name-system internal-dns split-dns
Martin Hope
Tom Newton
Asked: 2011-09-21 01:05:32 +0800 CST
  • 5

I have a network with two vlans, both of which refer to my AD server(s) for DNS. Some servers on this network are multi-homed. Lets say we have the two subnets A: 192.168.7.0/24 and B: 192.168.5.0/24. Then we have a server whose hostname is "carrot". Carrot has two IPs, 192.168.5.3 and 192.168.7.3. I want users on each subnet to be able to resolve "carrot.mydomain" to their "local" IP.

Is this possible with Windows DNS server? Do I need to go full "split brain"? Has anyone got any useful links to documentation on these setups, i'm a bit of an MS-DNS newb.

Edit: lets assume the host "carrot" has static DNS entries, and i'm happy to add them to my DNS server. It does not register itself in any way.

windows-server-2008 internal-dns active-directory split-dns
Martin Hope
Taco Scargo
Asked: 2010-07-06 01:58:21 +0800 CST
  • 8

I have a 2-server BIND 9 setup. Server A (the 'master' server) is properly setup with two views, one for local DNS clients (allowing recursive lookups for non-authorotive domains) and one view for the rest of the world, allowing only queries for local authorotive domains.

I want to configure the second server (let's name that Server B, or the 'slave' server) a similar way. Unfortunately this does not work properly. Once enabled, any notify from server A will correctly update/transfer the respective zone, but only the 'protected' view will serve the updated information. The 'external' view on server B still returns the 'old' information, until the server is restarted.

bind split-dns
Martin Hope
Barry Brown
Asked: 2010-01-07 13:09:04 +0800 CST
  • 3

I am setting up two DNS servers. One is on the firewall/router, the other is an internal server. I have lots of experience setting up DNS servers, so this problem is particularly perplexing.

Machine setup

Firewall external address: 207.62.233.2
Firewall internal address: 10.24.0.1

Secondary internal address: 10.24.0.21

Master named.conf (relevant portions only)

options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { any; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursion yes;
};

view "internal" {
    match-clients { 10.24.0.0/16; 127.0.0.1; };

    match-recursive-only yes;
    allow-recursion { clients; };
    allow-transfer { 10.24.0.21; };

    zone "ct.sierracollege.edu" {
        type master;
        file "data/db.ct.int";
    };

    include "/etc/named.rfc1912.zones";

    zone "." IN {
        type hint;
        file "named.ca";
    };
};

view "external" {
    recursion no;
    match-clients { any; };
    allow-transfer { any; }; // temporarily allowed for debugging purposes

    zone "ct.sierracollege.edu" {
            type master;
            file "data/db.ct.ext";
    };
};

What works

The split DNS on the firewall works great. If I query it from an internal machine, I get internal answers. Likewise, querying it from an external machine gives me external answers. Here's an internal query.

# dig @10.24.0.1 ct1.ct.sierracollege.edu

; <<>> DiG 9.5.1-P2 <<>> @10.24.0.1 ct1.ct.sierracollege.edu
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51024
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ct1.ct.sierracollege.edu.  IN  A

;; ANSWER SECTION:
ct1.ct.sierracollege.edu. 3600  IN  A   10.24.0.11

;; AUTHORITY SECTION:
ct.sierracollege.edu.   3600    IN  NS  cs.sierracollege.edu.
ct.sierracollege.edu.   3600    IN  NS  fw.ct.sierracollege.edu.

;; ADDITIONAL SECTION:
cs.sierracollege.edu.   3600    IN  A   10.24.0.21
fw.ct.sierracollege.edu. 3600   IN  A   10.24.0.1

;; Query time: 1 msec
;; SERVER: 10.24.0.1#53(10.24.0.1)
;; WHEN: Wed Jan  6 12:57:02 2010
;; MSG SIZE  rcvd: 124

What doesn't work

Zone transfers don't work correctly. Instead of transferring the internal zone, it transfers the external one. Here's an example, done from the very same internal machine as above:

# dig @10.24.0.1 ct.sierracollege.edu axfr

; <<>> DiG 9.5.1-P2 <<>> @10.24.0.1 ct.sierracollege.edu axfr
; (1 server found)
;; global options:  printcmd
ct.sierracollege.edu.   3600    IN  SOA ct.sierracollege.edu. root.ct.sierracollege.edu. 3 3600 1800 604800 3600
ct.sierracollege.edu.   3600    IN  NS  fw.ct.sierracollege.edu.
ct1.ct.sierracollege.edu. 3600  IN  A   207.62.233.11
ct2.ct.sierracollege.edu. 3600  IN  A   207.62.233.12
ct3.ct.sierracollege.edu. 3600  IN  A   207.62.233.13
fw.ct.sierracollege.edu. 3600   IN  A   207.62.233.2
ct.sierracollege.edu.   3600    IN  SOA ct.sierracollege.edu. root.ct.sierracollege.edu. 3 3600 1800 604800 3600
;; Query time: 2 msec
;; SERVER: 10.24.0.1#53(10.24.0.1)
;; WHEN: Wed Jan  6 13:01:37 2010
;; XFR size: 7 records (messages 1, bytes 208)

Entries from the /var/log/messages file show that the external view is being hit:

Jan  6 13:01:37 fw named[17572]: client 10.24.0.21#42362: view external: transfer of 'ct.sierracollege.edu/IN': AXFR started
Jan  6 13:01:37 fw named[17572]: client 10.24.0.21#42362: view external: transfer of 'ct.sierracollege.edu/IN': AXFR ended

Consequently, my slaves directory is being filled with external zone files, not the internal ones.

Any ideas?

domain-name-system bind split-dns