Understanding the purpose of a split-brain DNS

Posted on 2010-11-26
Last Modified: 2012-05-10
I have come across the concept of a split-brain DNS, and I can not seem to understand its purpose or in which situation one would set one up.

As I understand it, split DNS is when you have a DNS server exposed in your DMZ and another in your internal network. In my production environment, we have only internal (Private) DNS servers which resolve the hosts in the DMZ and private network which works well and if a client needs to resolve a name over the internet, the root hints go out via the known public dns servers for resolution.

If someone can please explain this concept to me and why anyone would configure such a setup I would greatly appreciate it. I have read many articles on the web but still the practicality of such a setup eludes me.
Question by:Network_Padawan

Author Comment

ID: 34220240
Also wanted to add, that for clients to resolve our hosting services, the hosts are registered via netregistry, so why would anyone want an external DNS?

Assisted Solution

Blake_1 earned 83 total points
ID: 34220884
Perhaps the most common implementation of split DNS is when you have a server inside the network or DMZ which provides a service both internally and to clients located on the Internet.

For instance, you have a server called '' which people access both internally and externally using the URL  On the internal network it has an IP address of, which is fine for people inside the company's firewall but cannot be accessed by Internet clients.  For this reason it has an Internet-facing IP (possibly NAT'ed from a firewall) of

In the above scenario, needs to be able to resolve to both and  It also need to do this based on where the requests are coming from.  The simplest means of doing this is to create a zone for '' on your corporate DNS server for the 192.x address, and publish the record for the 203.x address using an Internet DNS service.

If '' was hosted by a third party and is therefore external to your company's network then there is no need for the split DNS zone to be configured.

LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 83 total points
ID: 34221570

Split Brain means having two entirely separate DNS Authorities (denoted by the NS record) for the same namespace (zone / domain). It does not differentiate between public and private servers, but it is perhaps the common occurrence there. That is, it can happen when someone builds an AD Domain with the same name as a public domain.

The immediate downside to split-brain is that if you need a record to resolve in both versions of the domain then it must be manually added to both versions of the zone.

If we look at the AD vs public zone instance it is very hard to mix the two zones in a way that'll leave you with a correctly configured DNS system.

For instance, AD likes:

 - Dynamic Updates
 - AD Integrated zones (you lose control of the SOA record here)
 - Lots of Service Records (not harmful, but messy for a public zone, I could build a picture of your internal domain using them)
 - IP addressing relative to the network it uses (i.e. Private IP addresses for records)
 - Ownership of the "" Host (A) record (required if AD is to work, meaning you cannot have

And public DNS zones need:

 - A correct SOA record
 - Correct NS Records (only referring to public IP addresses)

Personally I try to avoid Split-Brain except for specific record overrides; where I need something to resolve to an internal IP within my network, for instance (also possible using DNS Doctoring on Firewalls). It's still common though, in some cases it's because people don't realise the impact, thinking only that "" is a pretty name for AD.


Accepted Solution

InterframeGap earned 84 total points
ID: 34223539
Hi -
Besides the good answers above some of the reasons for having split dns are (at least from my point of view)
- Hide your internal dns structure from the external world (ie., Domain Controllers, internal clients) and only present devices which are internet facing only (routeable ip addresses NO rfc 1918 addresses).

- Provide different security schemes internally vs externally (ie., allow DDNS from clients internally but not externally - which I would not allow internal clients to update the SOA directly - but allow ddns from only trusted devices - domain controllers for example.  All other clients update their dns entries via the dhcp servers).

- Allow for record duplication or allow for records to be shown externally which may not work if you present your internal zone externally (ie., You are using RFC 1918 for your internal addressing, or has all your registered domain controllers. However, your marketing team would like to have resolve to your external facing website as well as

- Split dns does have some drawbacks which are mentioned above.  Split dns does add complexity to your dns architecture.  Split dns can also cause some resolution problems if not done correctly.  

However, DNS &  Bind by Cricket Liu is a very good book besides the BOG (Bind operations Guide) and Split dns is an architecture which is heavily accepted in the DNS world.

There is more information and you may ping me directly if needed.

I have done many split dns implementations in my life time and have rarely run into problems.  The gain from security through obscurity out weights the administration burden.


Author Closing Comment

ID: 34254862
Thanks guys, thats great I understand completely now. Appreciate the detailed responses.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question