Setting up split DNS using Windows DNS server

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Sometimes it’s necessary to have two DNS servers that are authoritative for the same DNS namespace. This is the case if you use the same namespace for your web site and your internal Active Directory domain, e.g. terlisten-consulting.de. Or that you have created the zone terlisten-consulting.de in your Windows DNS to point specific hosts to internal IP addresses. The DNS servers at your ISP would be authoritative, and the domain controllers of your Active Directory would also be authoritative for the same domain. The response to a query depends on which DNS server you ask. So what would happen if you try to resolve www.terlisten-consulting.de, and the internal DNS has no record for it?

In this case, the domain controller in my lab is authoritative for terlisten-consulting.de. But he doesn’t has a A record for www.terlisten-consulting.de. If I remove the zone from my domain controller, or if I use an external DNS server, I get a non-authoritative answer.

This, the same DNS namespace on different DNS server, is called “split DNS” (sometimes also called split-horizon DNS, split-view DNS or split-brain DNS).

Do it right

Split DNS is pretty handy, and sometimes it’s necessary. When it comes to Microsoft Exchange, it a common practice to use the same external DNS namespace for the internal and external URLs. This requires, that I create a zone for the externally used DNS namespace on my internal DNS (in most cases: Microsoft Windows Activice Directory domain controllers). The downside: I must create all DNS entries on my internal DNS, and I must point them to their external IP addresses, except the ones that should point to an internal IP.

FQDNInternal/ External IP address
www.terlisten-consulting.deexternal IP address
exchange.terlisten-consulting.deinternal IP address
shop.terlisten-consulting.deexternal IP address

Otherwise, users that use the domain controllers as DNS server, wouldn’t be able to resolve www or shop. This is challenging. But there’s a solution.

Create split DNS for single hosts

The Domain Name System is hierarchy organized. Because of this, I can tell my DNS server to be authoritative only for a sub-tree of a domain, e.g. exchange.terlisten-consulting.de. If I try to resolve www.terlisten-consulting.de, the DNS server would go down the hierarchy starting at the DNS root servers (or it would ask a forwarder). Instead of creating a zone for the whole namespace, create a zone for the host. Simply add

  • a new primary zone
  • don’t allow dynamic updates to the zone, and
  • create a new A or AAAA record for the host

Make sure

  • to leave the name field empty
  • don’t create a PTR record
  • point it to the internal IP of the host
single_host_zone

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

A simple nslookup will show if split DNS works as expected.

Works as expected. Make sure to clear the DNS server cache after you have added the zones.

Windows DNS Server Policies

Windows Server 2016 will introduce Windows DNS Server Policies. DNS Policies will allow you to control how a DNS Server handles answers to queries based on parameters like source IP address, IP address of the network interface that has received the query etc. In future, DNS Server Policies can be used to configure split DNS.

Setting up split DNS using Windows DNS server
5 (100%) 10 votes
Follow me

Patrick Terlisten

vcloudnine.de is the personal blog of Patrick Terlisten. Patrick has a strong focus on virtualization & cloud solutions, but also storage, networking, and IT infrastructure in general. He is a fan of Lean Management and agile methods, and practices continuous improvement whereever it is possible.

Feel free to follow him on Twitter and/ or leave a comment.
Patrick Terlisten
Follow me

2 thoughts on “Setting up split DNS using Windows DNS server

  1. Bola Oussu

    hi
    Thanks for this ttutorial
    I am very new and i am trying to understand to know the best way to do
    le t say i have a website http://www.website.com.
    by default webhoster’s always configure a a mail.website.com (CNAME) when you purchase which is the one that is always use on every client mail

    Now i decide to have an on-premise exchange server 2016.

    I have a AD installed and the FQDN is intra.website.com

    now how do i do split DNS in this case?

    Should i add a zone on windows dns server to have mail.website.com pointing to internal exchange’s server IP?

    After that is there any confifuration i need to do on my webhosting Cpanel ?

    Reply
    1. Patrick Terlisten Post author

      Hi. If your plan is to access your on-premise Exchange using mail.website.com, you should create a zone named mail.website.com in your internal DNS. This zone should point to your Exchange. At your webhosters control panel, create a A-Record for mail.website.com and use the IP address, which is used to access your Exchange (mostly an external IP on your firewall, which is used in a destination NAT rule for 443/tcp). In addition to this, you must make sure, that you Exchange is using mail.website.com for all internal and external URLs, and also the SSL certificate matches mail.website.com and autodiscover.website.com. Autodiscover is a second domain, that must point to your on-premis Exchange.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

I accept!