Subscribe to Windows IT Pro
August 27, 2008 12:00 AM

Split-Brain DNS

This slick configuration resolves locations correctly from both inside and outside of your local network
Michael Dragone
Windows IT Pro
InstantDoc ID #99772
Rating: (2)

You can now test your split-brain configuration from your workstation. But before you do, make sure to flush your DNS cache by entering the following from a command prompt: ipconfig /flushdns Type www.mydomain.com into your browser, and your site should load. Neat, isn’t it?

You can add additional hosts to your newly created zone for any other resources, such as a mail server or a terminal server, that you want to access by the same name both internally and externally.

Divide to Conquer
You can modify the solution presented above by having your internal AD DNS servers answer queries only for AD resources and forwarding all other requests to another set of internal DNS servers. This other set would contain your private IP records for mydomain .com and recursively answer queries for all other domains. This type of segregation can help both with risk mitigation and administration delegation because the AD DNS servers would be separate from the DNS servers you use for split-brain resolution.

An alternative to split-brain DNS would be to use a third-party solution at the edge of your network that can rewrite the IP addresses returned in packets containing DNS data. For example, Cisco’s PIX and ASA appliances have a feature called DNS Doctoring that performs such rewrites. All of these methods are fairly easy to execute, but you should still try them in a test environment before making changes to your production environment. Happy querying!

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
  • Aldo
    2 years ago
    Feb 08, 2010

    Excellent article. Just learned a while back and had a new project for it. Remembered the article and retreived on Windows IT web site. Very helpful. Also well written.

  • Anne
    4 years ago
    Sep 25, 2008

    Reader Jeff Krull contacted Michael Dragone with this question about his organization's split-brain DNS configuration: "Mike - Saw your article in Windows IT Pro. Don't know if you can answer this one regarding split-brain DNS config. We have a split-brain dns zone, which is the root of our AD forest. Since it's an ad-integrated zone, when performing an nslookup on the zone for mycompany.com, DNS returns a list of DNS Servers (which are the DCs). That's just great for AD and associated GPO processing, etc.

    When a user browses the domain internally using a browser, we can't resolve the company's web site (i.e. companyname.com times out) because the DCs don't run IIS to redirect the query, nor do we want our DCs running IIS. Externally, this is not a problem because the DCs aren't listed in the external zone. Any ideas on how to resolve this issue whereby internal users don't have to use www.mycompany.com internally to reach our web site?
    Thanks, Jeff
    Check out the "Reader Feedback" sidebar (click the link above the article) for the complete conversation between Jeff and Mike. And if you have feedback about this article, post a comment or email it to Mike Dragone (click his byline). Windows IT Pro authors like hearing from readers--and really do respond!

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.