Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DNS in Split Brain Mode

Posted on 2004-10-15
7
Medium Priority
?
821 Views
Last Modified: 2012-08-14
Some question regarding Split Brain DNS structure and DNS Forwarder,
1. DNS server located in LAN, dns request will send to Root Hint and cache the resolved name. In some case the the name can not be resolved by Root DNS, then request will go thru the Forwarder in order to resolve the names. Is this because the Internet Traffic issues? and the role of Forwder functions as a shortcut?

2. Split Brain DNS dtructure consist of 1 Local DNS server and 1 External DNS Server, the local DNS server will query external DNS server for naming resolution, Do it mean the external DNS server became the ROOT DNS server of Local DNS server? Does it mean the External DNS sever is functioning as a Cacheing Server only? Does Externel DNS server need to have Forwarder configured?

3. A little bit confuse from the point view of security concren that stated External DNS server is exposing to public/internet area as a gateway, so the public can't query the LAN DNS strucure. But as my understanging, many corp put their DNS server behind the firewall with certain security setting to refue/block the public query to LAN DNS server. So, what is the real reason for implementing the Split DNS?

Please Advise.

0
Comment
Question by:joehuang
  • 4
  • 2
7 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 12324861
It isn't really clear what you are asking.
The reason that split DNS is used is so that resources that are on the internet resolve to the correct system internally, where they have an internal IP address.

For example.
If you have a web site on www.domain.com then this will resolve outside your network to a public IP address of 123.123.123.123. In most cases this isn't the IP address of the server that www is on. Instead you are forwarding traffic for http through your firewall to an internal IP address of 192.168.1.1.
Clients internally while they can resolve www.domain.com to 123.123.123.123 they will not be able to connect to it because the firewall will not let them.
Therefore you need to resolve www.domain.com to 192.168.1.1
The most frequent use for this feature is when you have implemented an mail service such as Exchange and you want users to use the same name whether inside or outside of the network.

By creating a zone for domain.com will stop your DNS servers from going out to the Internet for further DNS information, so if your web site (for example) then you would need to enter the external information in to the DNS configuration as well.
Any clients looking up your domain name externally will use the external DNS servers that are listed for the domain. Internal users will use the internal DNS servers - the same servers used for AD.

You don't expose your internal DNS service to the internet as this will expose information that shouldn't be public, and that is why you use split dns service.

Simon.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12328504

The questions above tend to overlap above, so I hope this lot provides you with enough answers:

-= Forwarders and Root Hints =-

All Public records can be resolved via Root Hints, as such Forwarders are not a requirement for DNS to function, but they may be needed if the situation requires it.

For instance, Forwarders are most useful when you need to access more Private records than are held on your local DNS. But they can also be used to Query other Nameservers for Public Records if required.

For one DNS Server to request information by a Forwarder the target DNS must support recursive queries.

For example:

The Private DNS ns1.domain.com is the Start of Authority for domain.com, but knows nothing about another private Domain domain2.com.

It Forwards requests for Addresses and Names on domain2.com to ns1.domain2.com (the Start of Authority for Domain2.com).

-= Root Servers and External Servers =-

A Root Server, or Top Level Domain Server refers to one of a group of Name Servers responsible for the highest level of each domain - So there is a Root Server for .com, a Root Server for .org, etc etc.

A normal External DNS is not a Root Server, it is just another link in the chain, or a member of the Hierarchy however you prefer to view it. Normally a Public DNS Server is the Start of Authority for a Domain, that means it can answer every query about the Domain it hosts.

For example:

External DNS ns1.domain.com knows about every Host or Record on the Domain domain.com.

-= Caching =-

Caching is used by almost every DNS, there are very few exceptions to this, although the Root Servers tend not to Cache Records (they just say who to ask next).

Caching uses the Time to Live (TTL) set on a the Start of Authority for the particular domain to determine how long it should hold onto a record before requesting it again from the original source or via a Forwarder. The default TTL is 2 Days, which means any Record can stay cached on a Name Server for 2 Days before it is checked again.

For example:

www.domain.com has a TTL of 3 hours set on ns1.domain.com.

All DNS ask for the address for www.domain.com will hold onto it for 3 hours, then if it is requested by a client again they will, in turn, request it from the source again.

-= Split Brain DNS =-

Split Brain refers to two (or more) DNS being Start of Authority for the same Domain Name.

The most obvious use of this is in the Windows Domain Model, where you might use the same Internal Domain Name as you would for the External.

For Example:

Internal / Private Domain Name: windowsdomain.com

All addresses on the Internal windowsdomain.com are Private Network Addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 169.254.0.0/12). These addresses are no good to Public users so are held by a Private DNS.

The Domain also Hosts a Public Web Server on a Public IP using NAT to a Private IP. Internal Hosts may not be able to Route to the Public IP Address of the Server - so an Internal version is used.

For example:

Public Record: www.windowsdomain.com IN A 215.232.44.2
Private Record: www.windowsdomain.com IN A 10.0.0.34

(Please note I just made those up, so don't try using them)

External / Public Domain Name: windowsdomain.com

All addresses on the External windowsdomain.com are Public Addresses.

Using these addresses on a Private Nameserver may cause problems (un-routable addresses, perhaps caused by NAT restrictions).

It is recommended that any Public Server (DNS, Web, Mail, etc etc) is installed in a DMZ rather than on your Private Network.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12328599

Oh yeah, I should have added...

Split Brain DNS is not recommended configuration, it's high maintenance and messy.

Instead use of non-public domain suffixes should be considered.

For example:

Public Domain Name: mydomain.com
Private Domain Name: mydomain.local

Or ".here", or ".internal", or really anything as long as it isn't public.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:joehuang
ID: 12339777
Chris,

Let's say for Split Brain DNS,
Public Record: www.mydoamin.com IN A 215.232.44.2
Private Record: www.mydoamin.com IN A 10.0.0.34

If internal DNS is the SOA for private domain (www.mydoamin.com) and external ISP's name server is the SOA for public domain (www.mydomain.com), Can we say this the type of Split Brain DNS? As my understanding, most of small company are running with this setting with





Please advise.


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12340639

Yes, that is exactly Split Brain. You have two seperate DNS Servers both thinking they know absolutely everything about the same domain (Start of Authority).

A lot of companies do set-up their DNS Servers like that, it's not really a big problem for small networks. In those situations it's quite unlikely there are a large number of records in the Public DNS that would need manually adding to the Private DNS (public web site addresses and the like).

Still, it is something that's better avoided at the design stage if at all possible rather than trying to correct it later.
0
 

Author Comment

by:joehuang
ID: 12340903
In Some case that suggest to seperate the DNS service and Caching service as 2 server, 1 DNS server and 1 Caching Server, Any reason for this? I assume this DNS server will forward the request to Caching server and the Root Hints will be disabled in this DNS server.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 120 total points
ID: 12341187

That's a little confusing.

In the Split Brain Model both (or all) servers are Start of Authority - they know everything about the zone (domain.com). As such there is no need to forward any query about that domain to another server. Remember that records held on the Server itself are not cached, but in a local Zone File.

Still, disabling the Cache on a DNS would only have a negative effect. Every query would have to come from the Start of Authority for the domain in question, effectively slowing down the response time. Remove the caching on a larger scale and DNS becomes a traffic generating monster, with the millions (or maybe billions) of requests for page addresses in addition to the normal site traffic.

Then Root Hints, that file just contains the IP addresses for the Root Servers, it lets your DNS know where to pick things up from. Without Root Hints or Forwarders you are, in effect, making your DNS a Root Server. It will think it knows everything about everything and only queries in it's own Zone Files will be answered.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question