Split Horizon DNS with Windows Server 2008


I've been asked if we can do a Split Horizon DNS structure in our office. From what I've looked up so far its not looking promising but I have yet to find anything that looks like our set up here.

What we have is a windows server based domain (2000 functional level tho no 2000 servers!) with AD integrated DNS.
The local domain is domain.local giving an fqdn of hostname.domain.local
We have a number of external services (mail, web, database etc.) accessed using a legal qualified domain, e.g. red-king.com, NATed on public IPs

What I've been asked to look into is if we can have some external services accessed through the local lan, but using the external domain, red-king.com

So the problem I'm hoping split horizon can solve (if I can configure it on windows) is that I can add a red-king.com zone to my server and resolve mail.red-king.com to a local address but resolve www.red-king.com to a public address.

What I'm worried about is that if we put a red-king.com zone on our local dns servers then requests for a record not in our local dns will not get forwarded.

Alternatively I'm thinking to create the red-king.com zone and replicate all the public DNS entries into our local server. I've no idea of the scope of this though.

Any and all help appreciated,

Red-KingIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

> What I'm worried about is that if we put a red-king.com zone on our local dns servers then requests for
> a record not in our local dns will not get forwarded.

You are correct, they will not forward at all if you have a reverse lookup zones for red-king.com.

There are a few ways around this:

1. Reconfigure firewalls to allow NAT loopback
2. Configure DNS Doctoring on the firewall
3. Add individual zones for each address you wish to override. e.g. Create a forward lookup zone called database.red-king.com, then add a Host (A) record with a blank name and the internal IP

Each of those avoids the split-brain condition entirely.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Red-KingIT ManagerAuthor Commented:
Thanks for the response Chris.
I'll try testing the individual zones and see how that works. NAT loopback might be another possibility.

Has anybody else got a similar configuration to what I've described?
I'd love to hear how some other people cope with this.

i'm not sure if i understand you correctly so correct me if i go wrong.
Your firewall have 3 legs, internal network, DMZ net for public services and of course you are connected to internet:
I assume you have local DNS in your Internal network. DMZ server are different network and have local IP that NATed in firewall to publick IP.
in Firewall, you should allow routing between Internal and DMZ and secure it by open only needed ports.
In your local DNS, when you ask for a service that is in DMZ zone, it will return local IP, if someone queries from internet, it will return the NATed public IP.
Also, your local DNS is forwarded to public DNS in DMZ zone if you have one or to another public DNS that accepts queries from you.

that been said, in BIND DNS, you have Views clause where you can implement different views for your network on single DNS, not sure what are steps on MS DNS.
Chris DentPowerShell DeveloperCommented:

No views for MS DNS unfortunately. The best method if the fix is staying in DNS is 3 above.

Red-KingIT ManagerAuthor Commented:
Hi Losche,

Thanks for your response. I guess you could call it a DMZ but it is really a seperate network.
Local DNS is in our internal network. The server I want to access is in the DMZ and only accessible thru public IP.

The internal domain name is different to the public domain name.

The internal DNS server is not authoritive for the public domain.

I think the best solution is option 3 that Chris gave. I'm going to leave this question oen for another day or 2 to see if anybody else might have any ideas.

Thanks again,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.