Solved

DNS in Split Brain Mode

Posted on 2004-10-15
7
792 Views
Last Modified: 2012-08-14
Some question regarding Split Brain DNS structure and DNS Forwarder,
1. DNS server located in LAN, dns request will send to Root Hint and cache the resolved name. In some case the the name can not be resolved by Root DNS, then request will go thru the Forwarder in order to resolve the names. Is this because the Internet Traffic issues? and the role of Forwder functions as a shortcut?

2. Split Brain DNS dtructure consist of 1 Local DNS server and 1 External DNS Server, the local DNS server will query external DNS server for naming resolution, Do it mean the external DNS server became the ROOT DNS server of Local DNS server? Does it mean the External DNS sever is functioning as a Cacheing Server only? Does Externel DNS server need to have Forwarder configured?

3. A little bit confuse from the point view of security concren that stated External DNS server is exposing to public/internet area as a gateway, so the public can't query the LAN DNS strucure. But as my understanging, many corp put their DNS server behind the firewall with certain security setting to refue/block the public query to LAN DNS server. So, what is the real reason for implementing the Split DNS?

Please Advise.

0
Comment
Question by:joehuang
  • 4
  • 2
7 Comments
 
LVL 104

Expert Comment

by:Sembee
Comment Utility
It isn't really clear what you are asking.
The reason that split DNS is used is so that resources that are on the internet resolve to the correct system internally, where they have an internal IP address.

For example.
If you have a web site on www.domain.com then this will resolve outside your network to a public IP address of 123.123.123.123. In most cases this isn't the IP address of the server that www is on. Instead you are forwarding traffic for http through your firewall to an internal IP address of 192.168.1.1.
Clients internally while they can resolve www.domain.com to 123.123.123.123 they will not be able to connect to it because the firewall will not let them.
Therefore you need to resolve www.domain.com to 192.168.1.1
The most frequent use for this feature is when you have implemented an mail service such as Exchange and you want users to use the same name whether inside or outside of the network.

By creating a zone for domain.com will stop your DNS servers from going out to the Internet for further DNS information, so if your web site (for example) then you would need to enter the external information in to the DNS configuration as well.
Any clients looking up your domain name externally will use the external DNS servers that are listed for the domain. Internal users will use the internal DNS servers - the same servers used for AD.

You don't expose your internal DNS service to the internet as this will expose information that shouldn't be public, and that is why you use split dns service.

Simon.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

The questions above tend to overlap above, so I hope this lot provides you with enough answers:

-= Forwarders and Root Hints =-

All Public records can be resolved via Root Hints, as such Forwarders are not a requirement for DNS to function, but they may be needed if the situation requires it.

For instance, Forwarders are most useful when you need to access more Private records than are held on your local DNS. But they can also be used to Query other Nameservers for Public Records if required.

For one DNS Server to request information by a Forwarder the target DNS must support recursive queries.

For example:

The Private DNS ns1.domain.com is the Start of Authority for domain.com, but knows nothing about another private Domain domain2.com.

It Forwards requests for Addresses and Names on domain2.com to ns1.domain2.com (the Start of Authority for Domain2.com).

-= Root Servers and External Servers =-

A Root Server, or Top Level Domain Server refers to one of a group of Name Servers responsible for the highest level of each domain - So there is a Root Server for .com, a Root Server for .org, etc etc.

A normal External DNS is not a Root Server, it is just another link in the chain, or a member of the Hierarchy however you prefer to view it. Normally a Public DNS Server is the Start of Authority for a Domain, that means it can answer every query about the Domain it hosts.

For example:

External DNS ns1.domain.com knows about every Host or Record on the Domain domain.com.

-= Caching =-

Caching is used by almost every DNS, there are very few exceptions to this, although the Root Servers tend not to Cache Records (they just say who to ask next).

Caching uses the Time to Live (TTL) set on a the Start of Authority for the particular domain to determine how long it should hold onto a record before requesting it again from the original source or via a Forwarder. The default TTL is 2 Days, which means any Record can stay cached on a Name Server for 2 Days before it is checked again.

For example:

www.domain.com has a TTL of 3 hours set on ns1.domain.com.

All DNS ask for the address for www.domain.com will hold onto it for 3 hours, then if it is requested by a client again they will, in turn, request it from the source again.

-= Split Brain DNS =-

Split Brain refers to two (or more) DNS being Start of Authority for the same Domain Name.

The most obvious use of this is in the Windows Domain Model, where you might use the same Internal Domain Name as you would for the External.

For Example:

Internal / Private Domain Name: windowsdomain.com

All addresses on the Internal windowsdomain.com are Private Network Addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 169.254.0.0/12). These addresses are no good to Public users so are held by a Private DNS.

The Domain also Hosts a Public Web Server on a Public IP using NAT to a Private IP. Internal Hosts may not be able to Route to the Public IP Address of the Server - so an Internal version is used.

For example:

Public Record: www.windowsdomain.com IN A 215.232.44.2
Private Record: www.windowsdomain.com IN A 10.0.0.34

(Please note I just made those up, so don't try using them)

External / Public Domain Name: windowsdomain.com

All addresses on the External windowsdomain.com are Public Addresses.

Using these addresses on a Private Nameserver may cause problems (un-routable addresses, perhaps caused by NAT restrictions).

It is recommended that any Public Server (DNS, Web, Mail, etc etc) is installed in a DMZ rather than on your Private Network.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Oh yeah, I should have added...

Split Brain DNS is not recommended configuration, it's high maintenance and messy.

Instead use of non-public domain suffixes should be considered.

For example:

Public Domain Name: mydomain.com
Private Domain Name: mydomain.local

Or ".here", or ".internal", or really anything as long as it isn't public.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:joehuang
Comment Utility
Chris,

Let's say for Split Brain DNS,
Public Record: www.mydoamin.com IN A 215.232.44.2
Private Record: www.mydoamin.com IN A 10.0.0.34

If internal DNS is the SOA for private domain (www.mydoamin.com) and external ISP's name server is the SOA for public domain (www.mydomain.com), Can we say this the type of Split Brain DNS? As my understanding, most of small company are running with this setting with





Please advise.


0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Yes, that is exactly Split Brain. You have two seperate DNS Servers both thinking they know absolutely everything about the same domain (Start of Authority).

A lot of companies do set-up their DNS Servers like that, it's not really a big problem for small networks. In those situations it's quite unlikely there are a large number of records in the Public DNS that would need manually adding to the Private DNS (public web site addresses and the like).

Still, it is something that's better avoided at the design stage if at all possible rather than trying to correct it later.
0
 

Author Comment

by:joehuang
Comment Utility
In Some case that suggest to seperate the DNS service and Caching service as 2 server, 1 DNS server and 1 Caching Server, Any reason for this? I assume this DNS server will forward the request to Caching server and the Root Hints will be disabled in this DNS server.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 30 total points
Comment Utility

That's a little confusing.

In the Split Brain Model both (or all) servers are Start of Authority - they know everything about the zone (domain.com). As such there is no need to forward any query about that domain to another server. Remember that records held on the Server itself are not cached, but in a local Zone File.

Still, disabling the Cache on a DNS would only have a negative effect. Every query would have to come from the Start of Authority for the domain in question, effectively slowing down the response time. Remove the caching on a larger scale and DNS becomes a traffic generating monster, with the millions (or maybe billions) of requests for page addresses in addition to the normal site traffic.

Then Root Hints, that file just contains the IP addresses for the Root Servers, it lets your DNS know where to pick things up from. Without Root Hints or Forwarders you are, in effect, making your DNS a Root Server. It will think it knows everything about everything and only queries in it's own Zone Files will be answered.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Learn about cloud computing and its benefits for small business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now