Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

DNS in Split Brain Mode

Posted on 2004-10-15
7
Medium Priority
?
813 Views
Last Modified: 2012-08-14
Some question regarding Split Brain DNS structure and DNS Forwarder,
1. DNS server located in LAN, dns request will send to Root Hint and cache the resolved name. In some case the the name can not be resolved by Root DNS, then request will go thru the Forwarder in order to resolve the names. Is this because the Internet Traffic issues? and the role of Forwder functions as a shortcut?

2. Split Brain DNS dtructure consist of 1 Local DNS server and 1 External DNS Server, the local DNS server will query external DNS server for naming resolution, Do it mean the external DNS server became the ROOT DNS server of Local DNS server? Does it mean the External DNS sever is functioning as a Cacheing Server only? Does Externel DNS server need to have Forwarder configured?

3. A little bit confuse from the point view of security concren that stated External DNS server is exposing to public/internet area as a gateway, so the public can't query the LAN DNS strucure. But as my understanging, many corp put their DNS server behind the firewall with certain security setting to refue/block the public query to LAN DNS server. So, what is the real reason for implementing the Split DNS?

Please Advise.

0
Comment
Question by:joehuang
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 12324861
It isn't really clear what you are asking.
The reason that split DNS is used is so that resources that are on the internet resolve to the correct system internally, where they have an internal IP address.

For example.
If you have a web site on www.domain.com then this will resolve outside your network to a public IP address of 123.123.123.123. In most cases this isn't the IP address of the server that www is on. Instead you are forwarding traffic for http through your firewall to an internal IP address of 192.168.1.1.
Clients internally while they can resolve www.domain.com to 123.123.123.123 they will not be able to connect to it because the firewall will not let them.
Therefore you need to resolve www.domain.com to 192.168.1.1
The most frequent use for this feature is when you have implemented an mail service such as Exchange and you want users to use the same name whether inside or outside of the network.

By creating a zone for domain.com will stop your DNS servers from going out to the Internet for further DNS information, so if your web site (for example) then you would need to enter the external information in to the DNS configuration as well.
Any clients looking up your domain name externally will use the external DNS servers that are listed for the domain. Internal users will use the internal DNS servers - the same servers used for AD.

You don't expose your internal DNS service to the internet as this will expose information that shouldn't be public, and that is why you use split dns service.

Simon.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12328504

The questions above tend to overlap above, so I hope this lot provides you with enough answers:

-= Forwarders and Root Hints =-

All Public records can be resolved via Root Hints, as such Forwarders are not a requirement for DNS to function, but they may be needed if the situation requires it.

For instance, Forwarders are most useful when you need to access more Private records than are held on your local DNS. But they can also be used to Query other Nameservers for Public Records if required.

For one DNS Server to request information by a Forwarder the target DNS must support recursive queries.

For example:

The Private DNS ns1.domain.com is the Start of Authority for domain.com, but knows nothing about another private Domain domain2.com.

It Forwards requests for Addresses and Names on domain2.com to ns1.domain2.com (the Start of Authority for Domain2.com).

-= Root Servers and External Servers =-

A Root Server, or Top Level Domain Server refers to one of a group of Name Servers responsible for the highest level of each domain - So there is a Root Server for .com, a Root Server for .org, etc etc.

A normal External DNS is not a Root Server, it is just another link in the chain, or a member of the Hierarchy however you prefer to view it. Normally a Public DNS Server is the Start of Authority for a Domain, that means it can answer every query about the Domain it hosts.

For example:

External DNS ns1.domain.com knows about every Host or Record on the Domain domain.com.

-= Caching =-

Caching is used by almost every DNS, there are very few exceptions to this, although the Root Servers tend not to Cache Records (they just say who to ask next).

Caching uses the Time to Live (TTL) set on a the Start of Authority for the particular domain to determine how long it should hold onto a record before requesting it again from the original source or via a Forwarder. The default TTL is 2 Days, which means any Record can stay cached on a Name Server for 2 Days before it is checked again.

For example:

www.domain.com has a TTL of 3 hours set on ns1.domain.com.

All DNS ask for the address for www.domain.com will hold onto it for 3 hours, then if it is requested by a client again they will, in turn, request it from the source again.

-= Split Brain DNS =-

Split Brain refers to two (or more) DNS being Start of Authority for the same Domain Name.

The most obvious use of this is in the Windows Domain Model, where you might use the same Internal Domain Name as you would for the External.

For Example:

Internal / Private Domain Name: windowsdomain.com

All addresses on the Internal windowsdomain.com are Private Network Addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or 169.254.0.0/12). These addresses are no good to Public users so are held by a Private DNS.

The Domain also Hosts a Public Web Server on a Public IP using NAT to a Private IP. Internal Hosts may not be able to Route to the Public IP Address of the Server - so an Internal version is used.

For example:

Public Record: www.windowsdomain.com IN A 215.232.44.2
Private Record: www.windowsdomain.com IN A 10.0.0.34

(Please note I just made those up, so don't try using them)

External / Public Domain Name: windowsdomain.com

All addresses on the External windowsdomain.com are Public Addresses.

Using these addresses on a Private Nameserver may cause problems (un-routable addresses, perhaps caused by NAT restrictions).

It is recommended that any Public Server (DNS, Web, Mail, etc etc) is installed in a DMZ rather than on your Private Network.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12328599

Oh yeah, I should have added...

Split Brain DNS is not recommended configuration, it's high maintenance and messy.

Instead use of non-public domain suffixes should be considered.

For example:

Public Domain Name: mydomain.com
Private Domain Name: mydomain.local

Or ".here", or ".internal", or really anything as long as it isn't public.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:joehuang
ID: 12339777
Chris,

Let's say for Split Brain DNS,
Public Record: www.mydoamin.com IN A 215.232.44.2
Private Record: www.mydoamin.com IN A 10.0.0.34

If internal DNS is the SOA for private domain (www.mydoamin.com) and external ISP's name server is the SOA for public domain (www.mydomain.com), Can we say this the type of Split Brain DNS? As my understanding, most of small company are running with this setting with





Please advise.


0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 12340639

Yes, that is exactly Split Brain. You have two seperate DNS Servers both thinking they know absolutely everything about the same domain (Start of Authority).

A lot of companies do set-up their DNS Servers like that, it's not really a big problem for small networks. In those situations it's quite unlikely there are a large number of records in the Public DNS that would need manually adding to the Private DNS (public web site addresses and the like).

Still, it is something that's better avoided at the design stage if at all possible rather than trying to correct it later.
0
 

Author Comment

by:joehuang
ID: 12340903
In Some case that suggest to seperate the DNS service and Caching service as 2 server, 1 DNS server and 1 Caching Server, Any reason for this? I assume this DNS server will forward the request to Caching server and the Root Hints will be disabled in this DNS server.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 120 total points
ID: 12341187

That's a little confusing.

In the Split Brain Model both (or all) servers are Start of Authority - they know everything about the zone (domain.com). As such there is no need to forward any query about that domain to another server. Remember that records held on the Server itself are not cached, but in a local Zone File.

Still, disabling the Cache on a DNS would only have a negative effect. Every query would have to come from the Start of Authority for the domain in question, effectively slowing down the response time. Remove the caching on a larger scale and DNS becomes a traffic generating monster, with the millions (or maybe billions) of requests for page addresses in addition to the normal site traffic.

Then Root Hints, that file just contains the IP addresses for the Root Servers, it lets your DNS know where to pick things up from. Without Root Hints or Forwarders you are, in effect, making your DNS a Root Server. It will think it knows everything about everything and only queries in it's own Zone Files will be answered.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question