• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3445
  • Last Modified:

Split Horizon DNS with Windows Server 2008

Hi,

I've been asked if we can do a Split Horizon DNS structure in our office. From what I've looked up so far its not looking promising but I have yet to find anything that looks like our set up here.

What we have is a windows server based domain (2000 functional level tho no 2000 servers!) with AD integrated DNS.
The local domain is domain.local giving an fqdn of hostname.domain.local
We have a number of external services (mail, web, database etc.) accessed using a legal qualified domain, e.g. red-king.com, NATed on public IPs

What I've been asked to look into is if we can have some external services accessed through the local lan, but using the external domain, red-king.com

So the problem I'm hoping split horizon can solve (if I can configure it on windows) is that I can add a red-king.com zone to my server and resolve mail.red-king.com to a local address but resolve www.red-king.com to a public address.

What I'm worried about is that if we put a red-king.com zone on our local dns servers then requests for a record not in our local dns will not get forwarded.


Alternatively I'm thinking to create the red-king.com zone and replicate all the public DNS entries into our local server. I've no idea of the scope of this though.

Any and all help appreciated,
Rory

0
Red-King
Asked:
Red-King
  • 2
  • 2
1 Solution
 
Chris DentPowerShell DeveloperCommented:

> What I'm worried about is that if we put a red-king.com zone on our local dns servers then requests for
> a record not in our local dns will not get forwarded.

You are correct, they will not forward at all if you have a reverse lookup zones for red-king.com.

There are a few ways around this:

1. Reconfigure firewalls to allow NAT loopback
2. Configure DNS Doctoring on the firewall
3. Add individual zones for each address you wish to override. e.g. Create a forward lookup zone called database.red-king.com, then add a Host (A) record with a blank name and the internal IP

Each of those avoids the split-brain condition entirely.

HTH

Chris
0
 
Red-KingIT ManagerAuthor Commented:
Thanks for the response Chris.
I'll try testing the individual zones and see how that works. NAT loopback might be another possibility.

Has anybody else got a similar configuration to what I've described?
I'd love to hear how some other people cope with this.

Rory
0
 
loscheCommented:
i'm not sure if i understand you correctly so correct me if i go wrong.
Your firewall have 3 legs, internal network, DMZ net for public services and of course you are connected to internet:
Internal-----Firewall-----Internet
                       |
                    DMZ
I assume you have local DNS in your Internal network. DMZ server are different network and have local IP that NATed in firewall to publick IP.
in Firewall, you should allow routing between Internal and DMZ and secure it by open only needed ports.
In your local DNS, when you ask for a service that is in DMZ zone, it will return local IP, if someone queries from internet, it will return the NATed public IP.
Also, your local DNS is forwarded to public DNS in DMZ zone if you have one or to another public DNS that accepts queries from you.

that been said, in BIND DNS, you have Views clause where you can implement different views for your network on single DNS, not sure what are steps on MS DNS.
regards.
0
 
Chris DentPowerShell DeveloperCommented:

No views for MS DNS unfortunately. The best method if the fix is staying in DNS is 3 above.

Chris
0
 
Red-KingIT ManagerAuthor Commented:
Hi Losche,

Thanks for your response. I guess you could call it a DMZ but it is really a seperate network.
Local DNS is in our internal network. The server I want to access is in the DMZ and only accessible thru public IP.

The internal domain name is different to the public domain name.

The internal DNS server is not authoritive for the public domain.

I think the best solution is option 3 that Chris gave. I'm going to leave this question oen for another day or 2 to see if anybody else might have any ideas.

Thanks again,
Rory
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now