Setting up split DNS using Windows DNS server

This posting is ~7 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Sometimes it’s necessary to have two DNS servers that are authoritative for the same DNS namespace. This is the case if you use the same namespace for your web site and your internal Active Directory domain, e.g. terlisten-consulting.de. Or that you have created the zone terlisten-consulting.de in your Windows DNS to point specific hosts to internal IP addresses. The DNS servers at your ISP would be authoritative, and the domain controllers of your Active Directory would also be authoritative for the same domain. The response to a query depends on which DNS server you ask. So what would happen if you try to resolve www.terlisten-consulting.de, and the internal DNS has no record for it?

C:\Users\Administrator.LAB>nslookup www.terlisten-consulting.de
Server:  adc1.lab.local
Address:  fdda:28ad:487:3::1

*** adc1.lab.local can't find www.terlisten-consulting.de: Non-existent domain

In this case, the domain controller in my lab is authoritative for terlisten-consulting.de. But he doesn’t has a A record for www.terlisten-consulting.de. If I remove the zone from my domain controller, or if I use an external DNS server, I get a non-authoritative answer.

C:\Users\Administrator.LAB>nslookup www.terlisten-consulting.de
Server:  adc1.lab.local
Address:  fdda:28ad:487:3::1

Non-authoritative answer:
Name:    waws-prod-am2-015.cloudapp.net
Address:  23.100.1.29
Aliases:  www.terlisten-consulting.de
          azr-terlistenconsulting.azurewebsites.net
          waws-prod-am2-015.vip.azurewebsites.windows.net

This, the same DNS namespace on different DNS server, is called “split DNS” (sometimes also called split-horizon DNS, split-view DNS or split-brain DNS).

Do it right

Split DNS is pretty handy, and sometimes it’s necessary. When it comes to Microsoft Exchange, it a common practice to use the same external DNS namespace for the internal and external URLs. This requires, that I create a zone for the externally used DNS namespace on my internal DNS (in most cases: Microsoft Windows Activice Directory domain controllers). The downside: I must create all DNS entries on my internal DNS, and I must point them to their external IP addresses, except the ones that should point to an internal IP.

FQDN	Internal/ External IP address
www.terlisten-consulting.de	external IP address
exchange.terlisten-consulting.de	internal IP address
shop.terlisten-consulting.de	external IP address

Otherwise, users that use the domain controllers as DNS server, wouldn’t be able to resolve www or shop. This is challenging. But there’s a solution.

Create split DNS for single hosts

The Domain Name System is hierarchy organized. Because of this, I can tell my DNS server to be authoritative only for a sub-tree of a domain, e.g. exchange.terlisten-consulting.de. If I try to resolve www.terlisten-consulting.de, the DNS server would go down the hierarchy starting at the DNS root servers (or it would ask a forwarder). Instead of creating a zone for the whole namespace, create a zone for the host. Simply add

a new primary zone
don’t allow dynamic updates to the zone, and
create a new A or AAAA record for the host

Make sure

to leave the name field empty
don’t create a PTR record
point it to the internal IP of the host

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

A simple nslookup will show if split DNS works as expected.

C:\Users\Administrator.LAB>nslookup www.terlisten-consulting.de
Server:  adc1.lab.local
Address:  fdda:28ad:487:3::1

Non-authoritative answer:
Name:    waws-prod-am2-015.cloudapp.net
Address:  23.100.1.29
Aliases:  www.terlisten-consulting.de
          azr-terlistenconsulting.azurewebsites.net
          waws-prod-am2-015.vip.azurewebsites.windows.net


C:\Users\Administrator.LAB>nslookup exchange.terlisten-consulting.de
Server:  adc1.lab.local
Address:  fdda:28ad:487:3::1

Name:    exchange.terlisten-consulting.de
Address:  192.168.200.84

Works as expected. Make sure to clear the DNS server cache after you have added the zones.

Windows DNS Server Policies

Windows Server 2016 will introduce Windows DNS Server Policies. DNS Policies will allow you to control how a DNS Server handles answers to queries based on parameters like source IP address, IP address of the network interface that has received the query etc. In future, DNS Server Policies can be used to configure split DNS.

5/5 - (11 votes)

Author
Recent Posts

Follow me

Patrick Terlisten

vcloudnine.de is the personal blog of Patrick Terlisten. Patrick has a strong focus on virtualization & cloud solutions, but also storage, networking, and IT infrastructure in general. He is a fan of Lean Management and agile methods, and practices continuous improvement whereever it is possible.

Feel free to follow him on Twitter and/ or leave a comment.

Follow me

Latest posts by Patrick Terlisten (see all)

Failed to connect to IKEv2 VPN using iPhone USB tethering - June 26, 2023
Why you should change your KRBTGT password prior disabling RC4 - July 28, 2022
Use app-only authentication with the Microsoft Graph PowerShell SDK - July 22, 2022

8 thoughts on “Setting up split DNS using Windows DNS server”

Bola Oussu January 29, 2019 at 13:35

hi
Thanks for this ttutorial
I am very new and i am trying to understand to know the best way to do
le t say i have a website http://www.website.com.
by default webhoster’s always configure a a mail.website.com (CNAME) when you purchase which is the one that is always use on every client mail

Now i decide to have an on-premise exchange server 2016.

I have a AD installed and the FQDN is intra.website.com

now how do i do split DNS in this case?

Should i add a zone on windows dns server to have mail.website.com pointing to internal exchange’s server IP?

After that is there any confifuration i need to do on my webhosting Cpanel ?

Patrick Terlisten Post authorJanuary 29, 2019 at 14:57
Hi. If your plan is to access your on-premise Exchange using mail.website.com, you should create a zone named mail.website.com in your internal DNS. This zone should point to your Exchange. At your webhosters control panel, create a A-Record for mail.website.com and use the IP address, which is used to access your Exchange (mostly an external IP on your firewall, which is used in a destination NAT rule for 443/tcp). In addition to this, you must make sure, that you Exchange is using mail.website.com for all internal and external URLs, and also the SSL certificate matches mail.website.com and autodiscover.website.com. Autodiscover is a second domain, that must point to your on-premis Exchange.

Pasindu Liyanage May 6, 2019 at 14:04

Hi,

I am an undergraduate. I need to have a way to show the evidence for proper DNS operation by resolving internal & external hostname/ web site for one of my assignments. And I am using Windows server 2012.

Thanks.

Patrick Terlisten Post authorMay 6, 2019 at 21:05
Try nslookup.

George June 25, 2019 at 08:04

It is not split DNS. Split DNS is when the SAME server is pointed for resolving the domain names for both external and internal clients, responding with different values depending on the origin of the DNS query or other criteria. This is feasible in bind but not in Windows DNS.

Martin L. May 21, 2020 at 17:30

Than you for tutorial, i loose a day try this. Work good for me.

superhl July 17, 2020 at 16:25

Say I have an AD domain esd.net and my website http://www.esd.net. I have it working. Now I installed a Centos Linux server that has sendmail. However when I send an email from Centos, I type the following commands echo “testing” | sendmail test@esd.net. Looking at the logs, I’m not seeing where it is routing to smtp.gmail.com. Email is failing….. Do I need to create a hostname record named mnesd2 and ip address 142.250.31.108 which is the smtp.gmail.com??

Mar 6 12:25:08 mnesd2 sendmail[20197]: starting daemon (8.14.4): SMTP+queueing@00:01:00
Mar 6 12:25:08 mnesd2 sm-msp-queue[20207]: starting daemon (8.14.4): queueing@00:01:00
Mar 6 12:25:33 mnesd2 sendmail[20260]: 026HPXhV020260: from=root, size=271, class=0, nrcpts=1, msgid=1267964728.215.test@esd.net, relay=root@localhost
Mar 6 12:25:35 mnesd2 sendmail[20262]: 026HPXL5020262: -test@esd.net>… User unknown
Mar 6 12:25:35 mnesd2 sendmail[20260]: 026HPXhV020260: to=test@esd.net, ctladdr=root (0/0), delay=00:00:02, xdelay=00:00:02, mailer=relay, pri=30271, relay=[127.0.0.1] [127.0.0.1], dsn=5.1.1, stat=User unknown
Mar 6 12:25:35 mnesd2 sendmail[20262]: 026HPXL5020262: from=-root@mnesd2.esd.net>, size=271, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
Mar 6 12:25:35 mnesd2 sendmail[20260]: 026HPXhV020260: 026HPXhW020260: DSN: User unknown
Mar 6 12:25:35 mnesd2 sendmail[20262]: 026HPXL7020262: from=->, size=2167, class=0, nrcpts=1, msgid=-202003061725.026HPXhW020260@mnesd2.esd.net>, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
Mar 6 12:25:35 mnesd2 sendmail[20260]: 026HPXhW020260: to=root, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=31295, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (026HPXL7020262 Message accepted for delivery)
Mar 6 12:25:36 mnesd2 sendmail[20271]: STARTTLS=client, relay=mx247.in-mx.com., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Mar 6 12:25:37 mnesd2 sendmail[20271]: 026HPXL7020262: to=-root@mnesd2.esd.net>, delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=122167, relay=mx247.in-mx.com. [192.110.255.241], dsn=2.0.0, stat=Sent (Queued!)
Top

Patrick Terlisten Post authorJuly 17, 2020 at 20:20
If the FQDN of your AD forest ist esd.net, you need an MX record pointing to GMail on your Windows DNS.

Comments are closed.