Implement Split-Brain DNS Policies in Active Directory

Posted on Matthew By Matthew No Comments on Implement Split-Brain DNS Policies in Active Directory
Implement Split-Brain DNS Policies in Active Directory
Implement Split-Brain DNS Policies in Active Directory

In this detailed guide, we will look at how to implement DNS split-brain policies in an Active Directory environment. Creating a split-brain DNS setup is crucial for managing different DNS responses based on whether the request is internal or external. This can help streamline network traffic, improve security, and ensure that internal and external users can resolve the correct IP addresses. If you want to set up a DNS server please see, How to Install and Configure a Standalone DNS Server.

Here are other related guides: How to Create Service Accounts, Organisation Units and Active Directory Security GroupsCreate New Users and Join Synology NAS to Active Directory, and Change Active Directory Domain name from dot local to dot com.

Introduction to Split-Brain DNS

Split-brain DNS, also known as split-horizon DNS, allows you to have two different sets of DNS records for the same domain. This is particularly useful when you have a domain that needs to be resolved differently depending on whether the query comes from inside or outside your network.

For instance, internal users might need to resolve mail.yourcompany.com to an internal IP address, while external users need it to resolve to a public IP address.

Please see how to Grant Non-Domain Admin Privileges to Manage Workstation, and Why you should not use Public DNS in Production: Change DNS Server in Windows.

Why Implement DNS Split-Brain Policies?

Implementing DNS split-brain policies is essential for several reasons:

Simplified Management: Using DNS policies, you can manage internal and external DNS records on the same DNS server, reducing administrative overhead.

Enhanced Security: By directing internal traffic to internal servers, you reduce the exposure of your internal network to the internet.

Optimized Network Traffic: Internal users get faster responses because queries do not need to go through the public internet.

Please see How to convert distribution group to security group, How to change Active Directory Group Scope, and a Review of MiniTool Partition Wizard – Disk Utility Tool.

Example: Split-Brain DNS in Active Directory

Consider techdirectarchive.com, which maintains a fictitious vacancy website at xxw.vacancy.techdirectarchive.cxx. The site has two versions:

  • Internal Version: Available at the local IP address 10.0.1.20.
  • External Version: Available at the public IP address 192.168.0.10.

Without DNS policies, you would need to host these two zones on separate DNS servers and manage them separately. However, with DNS policies, these zones can be hosted on the same DNS server.

How to Setup Split-Brain DNS

Step 1: Create DNS Zones

Add the Active Directory integrated zone (e.g., techdirectarchive.com) to the DNS server:

Add-DnsServerPrimaryZone -Name "techdirectarchive.com" -ReplicationScope "Domain" -PassThru
Create a dns zone
Create a dns zone

Step 2: Create Zone Scopes

Create a new zone scope for the external zone:

Add-DnsServerZoneScope -ZoneName "techdirectarchive.com" -Name "external"
Zone scope
Zone scope

Step 3: Add Records to the Zone Scopes

Add the record for the internal site: 

Add-DnsServerResourceRecord -ZoneName "techdirectarchive.com" -A -Name "www.vacancy" -IPv4Address "10.0.1.20"
Internal record to the zone scope
Internal record to the zone scope
Record for internal zone scope
Record for internal zone scope

Add the record for the external site:

Add-DnsServerResourceRecord -ZoneName "techdirectarchive.com" -A -Name "www.vacancy -IPv4Address "192.168.0.10" -ZoneScope "external"
External record to the zone scope
External record to the zone scope

Here is a guide on Domain Name System: How to create a DNS record, How to setup a Third-Party DNS Server on a Linux Server, and how to Setup a Domain Controller as Recommended by Microsoft.

Step 4: Create DNS Policies

Create a DNS policy for the external interface:

Add-DnsServerQueryResolutionPolicy -Name "SplitBrainZonePolicy" -Action ALLOW -ServerInterface "eq,208.80.0.1" -ZoneScope "external,1" -ZoneName techdirectarchive.com
DNS policy for the external interface
DNS policy for the external interface

Please see how to fix “DNS Bad key 9017: The Cluster Name registration failed of one or more associated DNS names“, and how to setup a Third-Party DNS Server on a Linux Server.

Step 5: Verify Split-Brain DNS Configuration

From an internal client, use nslookup to query the internal domain names and ensure they resolve to internal IP addresses:

nslookup www.vacancy.techdirectarchive.cxx
Verify split-brain DNS configuration
Verify split-brain DNS configuration

From an external network, use nslookup to query the public domain names and ensure they resolve to public IP addresses:

nslookup www.vacancy.techdirectarchive.cxx

Conclusion

By carefully setting up internal and external DNS zones and leveraging DNS policies, you can ensure that your internal and external users always get the correct DNS responses.

This guide has provided you with the necessary steps and best practices to achieve a robust split-brain DNS setup.

I hope you found this article useful on how to “Implement Split-Brain DNS Policies in Active Directory.” Please feel free to leave a comment below.

5/5 - (1 vote)
Windows Server Tags:, , ,

Related Posts

More Related Articles

wds and dns l What happens when WDS and DNS are installed on the same Windows Server? DNS issues with WDS Windows Server
Windows Deployment Services How to migrate WDS and MDT to a new Windows Server Windows Server
remote desktop version and protocol Determine the Remote Desktop Client Version Windows
Keep personal files and apps Fix Keep personal files and apps option greyed out during Upgrade Windows Server
article 1280x720.192a2586 1 How to apply Windows Updates from WSUS to AWS Instances AWS/Azure/OpenShift
CAL Removal How to Remove and Manage RDS Licenses Web Server

Leave a Reply