Setting up split DNS using Windows DNS server

This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Sometimes it’s necessary to have two DNS servers that are authoritative for the same DNS namespace. This is the case if you use the same namespace for your web site and your internal Active Directory domain, e.g. Or that you have created the zone in your Windows DNS to point specific hosts to internal IP addresses. The DNS servers at your ISP would be authoritative, and the domain controllers of your Active Directory would also be authoritative for the same domain. The response to a query depends on which DNS server you ask. So what would happen if you try to resolve, and the internal DNS has no record for it?

Server:  adc1.lab.local
Address:  fdda:28ad:487:3::1

*** adc1.lab.local can't find Non-existent domain

In this case, the domain controller in my lab is authoritative for But he doesn’t has a A record for If I remove the zone from my domain controller, or if I use an external DNS server, I get a non-authoritative answer.

Server:  adc1.lab.local
Address:  fdda:28ad:487:3::1

Non-authoritative answer:

This, the same DNS namespace on different DNS server, is called “split DNS” (sometimes also called split-horizon DNS, split-view DNS or split-brain DNS).

Do it right

Split DNS is pretty handy, and sometimes it’s necessary. When it comes to Microsoft Exchange, it a common practice to use the same external DNS namespace for the internal and external URLs. This requires, that I create a zone for the externally used DNS namespace on my internal DNS (in most cases: Microsoft Windows Activice Directory domain controllers). The downside: I must create all DNS entries on my internal DNS, and I must point them to their external IP addresses, except the ones that should point to an internal IP.

FQDNInternal/ External IP address
www.terlisten-consulting.deexternal IP address
exchange.terlisten-consulting.deinternal IP address
shop.terlisten-consulting.deexternal IP address

Otherwise, users that use the domain controllers as DNS server, wouldn’t be able to resolve www or shop. This is challenging. But there’s a solution.

Create split DNS for single hosts

The Domain Name System is hierarchy organized. Because of this, I can tell my DNS server to be authoritative only for a sub-tree of a domain, e.g. If I try to resolve, the DNS server would go down the hierarchy starting at the DNS root servers (or it would ask a forwarder). Instead of creating a zone for the whole namespace, create a zone for the host. Simply add

  • a new primary zone
  • don’t allow dynamic updates to the zone, and
  • create a new A or AAAA record for the host

Make sure

  • to leave the name field empty
  • don’t create a PTR record
  • point it to the internal IP of the host

Patrick Terlisten/ Creative Commons CC0

A simple nslookup will show if split DNS works as expected.

Server:  adc1.lab.local
Address:  fdda:28ad:487:3::1

Non-authoritative answer:

Server:  adc1.lab.local
Address:  fdda:28ad:487:3::1


Works as expected. Make sure to clear the DNS server cache after you have added the zones.

Windows DNS Server Policies

Windows Server 2016 will introduce Windows DNS Server Policies. DNS Policies will allow you to control how a DNS Server handles answers to queries based on parameters like source IP address, IP address of the network interface that has received the query etc. In future, DNS Server Policies can be used to configure split DNS.

5/5 - (11 votes)
Patrick Terlisten
Follow me

8 thoughts on “Setting up split DNS using Windows DNS server

  1. Bola Oussu

    Thanks for this ttutorial
    I am very new and i am trying to understand to know the best way to do
    le t say i have a website
    by default webhoster’s always configure a a (CNAME) when you purchase which is the one that is always use on every client mail

    Now i decide to have an on-premise exchange server 2016.

    I have a AD installed and the FQDN is

    now how do i do split DNS in this case?

    Should i add a zone on windows dns server to have pointing to internal exchange’s server IP?

    After that is there any confifuration i need to do on my webhosting Cpanel ?

    1. Patrick Terlisten Post author

      Hi. If your plan is to access your on-premise Exchange using, you should create a zone named in your internal DNS. This zone should point to your Exchange. At your webhosters control panel, create a A-Record for and use the IP address, which is used to access your Exchange (mostly an external IP on your firewall, which is used in a destination NAT rule for 443/tcp). In addition to this, you must make sure, that you Exchange is using for all internal and external URLs, and also the SSL certificate matches and Autodiscover is a second domain, that must point to your on-premis Exchange.

  2. Pasindu Liyanage


    I am an undergraduate. I need to have a way to show the evidence for proper DNS operation by resolving internal & external hostname/ web site for one of my assignments. And I am using Windows server 2012.


  3. George

    It is not split DNS. Split DNS is when the SAME server is pointed for resolving the domain names for both external and internal clients, responding with different values depending on the origin of the DNS query or other criteria. This is feasible in bind but not in Windows DNS.

  4. superhl

    Say I have an AD domain and my website I have it working. Now I installed a Centos Linux server that has sendmail. However when I send an email from Centos, I type the following commands echo “testing” | sendmail Looking at the logs, I’m not seeing where it is routing to Email is failing….. Do I need to create a hostname record named mnesd2 and ip address which is the

    Mar 6 12:25:08 mnesd2 sendmail[20197]: starting daemon (8.14.4): SMTP+queueing@00:01:00
    Mar 6 12:25:08 mnesd2 sm-msp-queue[20207]: starting daemon (8.14.4): queueing@00:01:00
    Mar 6 12:25:33 mnesd2 sendmail[20260]: 026HPXhV020260: from=root, size=271, class=0, nrcpts=1,, relay=root@localhost
    Mar 6 12:25:35 mnesd2 sendmail[20262]: 026HPXL5020262:>… User unknown
    Mar 6 12:25:35 mnesd2 sendmail[20260]: 026HPXhV020260:, ctladdr=root (0/0), delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=30271, relay=[] [], dsn=5.1.1, stat=User unknown
    Mar 6 12:25:35 mnesd2 sendmail[20262]: 026HPXL5020262:>, size=271, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost []
    Mar 6 12:25:35 mnesd2 sendmail[20260]: 026HPXhV020260: 026HPXhW020260: DSN: User unknown
    Mar 6 12:25:35 mnesd2 sendmail[20262]: 026HPXL7020262: from=->, size=2167, class=0, nrcpts=1,>, proto=ESMTP, daemon=MTA, relay=localhost []
    Mar 6 12:25:35 mnesd2 sendmail[20260]: 026HPXhW020260: to=root, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31295, relay=[] [], dsn=2.0.0, stat=Sent (026HPXL7020262 Message accepted for delivery)
    Mar 6 12:25:36 mnesd2 sendmail[20271]: STARTTLS=client,, version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
    Mar 6 12:25:37 mnesd2 sendmail[20271]: 026HPXL7020262:>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=122167, [], dsn=2.0.0, stat=Sent (Queued!)

Comments are closed.