• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 826
  • Last Modified:

DNS in Split Brain Mode

Some question regarding Split Brain DNS structure and DNS Forwarder,
1. DNS server located in LAN, dns request will send to Root Hint and cache the resolved name. In some case the the name can not be resolved by Root DNS, then request will go thru the Forwarder in order to resolve the names. Is this because the Internet Traffic issues? and the role of Forwder functions as a shortcut?

2. Split Brain DNS dtructure consist of 1 Local DNS server and 1 External DNS Server, the local DNS server will query external DNS server for naming resolution, Do it mean the external DNS server became the ROOT DNS server of Local DNS server? Does it mean the External DNS sever is functioning as a Cacheing Server only? Does Externel DNS server need to have Forwarder configured?

3. A little bit confuse from the point view of security concren that stated External DNS server is exposing to public/internet area as a gateway, so the public can't query the LAN DNS strucure. But as my understanging, many corp put their DNS server behind the firewall with certain security setting to refue/block the public query to LAN DNS server. So, what is the real reason for implementing the Split DNS?

Please Advise.

  • 4
  • 2
1 Solution
It isn't really clear what you are asking.
The reason that split DNS is used is so that resources that are on the internet resolve to the correct system internally, where they have an internal IP address.

For example.
If you have a web site on www.domain.com then this will resolve outside your network to a public IP address of In most cases this isn't the IP address of the server that www is on. Instead you are forwarding traffic for http through your firewall to an internal IP address of
Clients internally while they can resolve www.domain.com to they will not be able to connect to it because the firewall will not let them.
Therefore you need to resolve www.domain.com to
The most frequent use for this feature is when you have implemented an mail service such as Exchange and you want users to use the same name whether inside or outside of the network.

By creating a zone for domain.com will stop your DNS servers from going out to the Internet for further DNS information, so if your web site (for example) then you would need to enter the external information in to the DNS configuration as well.
Any clients looking up your domain name externally will use the external DNS servers that are listed for the domain. Internal users will use the internal DNS servers - the same servers used for AD.

You don't expose your internal DNS service to the internet as this will expose information that shouldn't be public, and that is why you use split dns service.

Chris DentPowerShell DeveloperCommented:

The questions above tend to overlap above, so I hope this lot provides you with enough answers:

-= Forwarders and Root Hints =-

All Public records can be resolved via Root Hints, as such Forwarders are not a requirement for DNS to function, but they may be needed if the situation requires it.

For instance, Forwarders are most useful when you need to access more Private records than are held on your local DNS. But they can also be used to Query other Nameservers for Public Records if required.

For one DNS Server to request information by a Forwarder the target DNS must support recursive queries.

For example:

The Private DNS ns1.domain.com is the Start of Authority for domain.com, but knows nothing about another private Domain domain2.com.

It Forwards requests for Addresses and Names on domain2.com to ns1.domain2.com (the Start of Authority for Domain2.com).

-= Root Servers and External Servers =-

A Root Server, or Top Level Domain Server refers to one of a group of Name Servers responsible for the highest level of each domain - So there is a Root Server for .com, a Root Server for .org, etc etc.

A normal External DNS is not a Root Server, it is just another link in the chain, or a member of the Hierarchy however you prefer to view it. Normally a Public DNS Server is the Start of Authority for a Domain, that means it can answer every query about the Domain it hosts.

For example:

External DNS ns1.domain.com knows about every Host or Record on the Domain domain.com.

-= Caching =-

Caching is used by almost every DNS, there are very few exceptions to this, although the Root Servers tend not to Cache Records (they just say who to ask next).

Caching uses the Time to Live (TTL) set on a the Start of Authority for the particular domain to determine how long it should hold onto a record before requesting it again from the original source or via a Forwarder. The default TTL is 2 Days, which means any Record can stay cached on a Name Server for 2 Days before it is checked again.

For example:

www.domain.com has a TTL of 3 hours set on ns1.domain.com.

All DNS ask for the address for www.domain.com will hold onto it for 3 hours, then if it is requested by a client again they will, in turn, request it from the source again.

-= Split Brain DNS =-

Split Brain refers to two (or more) DNS being Start of Authority for the same Domain Name.

The most obvious use of this is in the Windows Domain Model, where you might use the same Internal Domain Name as you would for the External.

For Example:

Internal / Private Domain Name: windowsdomain.com

All addresses on the Internal windowsdomain.com are Private Network Addresses (,,, or These addresses are no good to Public users so are held by a Private DNS.

The Domain also Hosts a Public Web Server on a Public IP using NAT to a Private IP. Internal Hosts may not be able to Route to the Public IP Address of the Server - so an Internal version is used.

For example:

Public Record: www.windowsdomain.com IN A
Private Record: www.windowsdomain.com IN A

(Please note I just made those up, so don't try using them)

External / Public Domain Name: windowsdomain.com

All addresses on the External windowsdomain.com are Public Addresses.

Using these addresses on a Private Nameserver may cause problems (un-routable addresses, perhaps caused by NAT restrictions).

It is recommended that any Public Server (DNS, Web, Mail, etc etc) is installed in a DMZ rather than on your Private Network.
Chris DentPowerShell DeveloperCommented:

Oh yeah, I should have added...

Split Brain DNS is not recommended configuration, it's high maintenance and messy.

Instead use of non-public domain suffixes should be considered.

For example:

Public Domain Name: mydomain.com
Private Domain Name: mydomain.local

Or ".here", or ".internal", or really anything as long as it isn't public.
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

joehuangAuthor Commented:

Let's say for Split Brain DNS,
Public Record: www.mydoamin.com IN A
Private Record: www.mydoamin.com IN A

If internal DNS is the SOA for private domain (www.mydoamin.com) and external ISP's name server is the SOA for public domain (www.mydomain.com), Can we say this the type of Split Brain DNS? As my understanding, most of small company are running with this setting with

Please advise.

Chris DentPowerShell DeveloperCommented:

Yes, that is exactly Split Brain. You have two seperate DNS Servers both thinking they know absolutely everything about the same domain (Start of Authority).

A lot of companies do set-up their DNS Servers like that, it's not really a big problem for small networks. In those situations it's quite unlikely there are a large number of records in the Public DNS that would need manually adding to the Private DNS (public web site addresses and the like).

Still, it is something that's better avoided at the design stage if at all possible rather than trying to correct it later.
joehuangAuthor Commented:
In Some case that suggest to seperate the DNS service and Caching service as 2 server, 1 DNS server and 1 Caching Server, Any reason for this? I assume this DNS server will forward the request to Caching server and the Root Hints will be disabled in this DNS server.
Chris DentPowerShell DeveloperCommented:

That's a little confusing.

In the Split Brain Model both (or all) servers are Start of Authority - they know everything about the zone (domain.com). As such there is no need to forward any query about that domain to another server. Remember that records held on the Server itself are not cached, but in a local Zone File.

Still, disabling the Cache on a DNS would only have a negative effect. Every query would have to come from the Start of Authority for the domain in question, effectively slowing down the response time. Remove the caching on a larger scale and DNS becomes a traffic generating monster, with the millions (or maybe billions) of requests for page addresses in addition to the normal site traffic.

Then Root Hints, that file just contains the IP addresses for the Root Servers, it lets your DNS know where to pick things up from. Without Root Hints or Forwarders you are, in effect, making your DNS a Root Server. It will think it knows everything about everything and only queries in it's own Zone Files will be answered.

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now