Solved

Understanding the purpose of a split-brain DNS

Posted on 2010-11-26
5
2,076 Views
Last Modified: 2012-05-10
I have come across the concept of a split-brain DNS, and I can not seem to understand its purpose or in which situation one would set one up.

As I understand it, split DNS is when you have a DNS server exposed in your DMZ and another in your internal network. In my production environment, we have only internal (Private) DNS servers which resolve the hosts in the DMZ and private network which works well and if a client needs to resolve a name over the internet, the root hints go out via the known public dns servers for resolution.

If someone can please explain this concept to me and why anyone would configure such a setup I would greatly appreciate it. I have read many articles on the web but still the practicality of such a setup eludes me.
0
Comment
Question by:Network_Padawan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 

Author Comment

by:Network_Padawan
ID: 34220240
Also wanted to add, that for clients to resolve our hosting services, the hosts are registered via netregistry, so why would anyone want an external DNS?
0
 
LVL 5

Assisted Solution

by:Blake_1
Blake_1 earned 83 total points
ID: 34220884
Perhaps the most common implementation of split DNS is when you have a server inside the network or DMZ which provides a service both internally and to clients located on the Internet.

For instance, you have a server called 'website.company.com' which people access both internally and externally using the URL http://website.company.com.  On the internal network it has an IP address of 192.168.10.1, which is fine for people inside the company's firewall but cannot be accessed by Internet clients.  For this reason it has an Internet-facing IP (possibly NAT'ed from a firewall) of 203.10.10.10.

In the above scenario, website.company.com needs to be able to resolve to both 192.168.10.1 and 203.10.10.10.  It also need to do this based on where the requests are coming from.  The simplest means of doing this is to create a zone for 'company.com' on your corporate DNS server for the 192.x address, and publish the record for the 203.x address using an Internet DNS service.

If 'website.company.com' was hosted by a third party and is therefore external to your company's network then there is no need for the split DNS zone to be configured.

Questions?
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 83 total points
ID: 34221570

Split Brain means having two entirely separate DNS Authorities (denoted by the NS record) for the same namespace (zone / domain). It does not differentiate between public and private servers, but it is perhaps the common occurrence there. That is, it can happen when someone builds an AD Domain with the same name as a public domain.

The immediate downside to split-brain is that if you need a record to resolve in both versions of the domain then it must be manually added to both versions of the zone.

If we look at the AD vs public zone instance it is very hard to mix the two zones in a way that'll leave you with a correctly configured DNS system.

For instance, AD likes:

 - Dynamic Updates
 - AD Integrated zones (you lose control of the SOA record here)
 - Lots of Service Records (not harmful, but messy for a public zone, I could build a picture of your internal domain using them)
 - IP addressing relative to the network it uses (i.e. Private IP addresses for records)
 - Ownership of the "domain.com" Host (A) record (required if AD is to work, meaning you cannot have http://domain.com)

And public DNS zones need:

 - A correct SOA record
 - Correct NS Records (only referring to public IP addresses)

Personally I try to avoid Split-Brain except for specific record overrides; where I need something to resolve to an internal IP within my network, for instance (also possible using DNS Doctoring on Firewalls). It's still common though, in some cases it's because people don't realise the impact, thinking only that "domain.com" is a pretty name for AD.

Chris
0
 
LVL 3

Accepted Solution

by:
InterframeGap earned 84 total points
ID: 34223539
Hi -
Besides the good answers above some of the reasons for having split dns are (at least from my point of view)
- Hide your internal dns structure from the external world (ie., Domain Controllers, internal clients) and only present devices which are internet facing only (routeable ip addresses NO rfc 1918 addresses).

- Provide different security schemes internally vs externally (ie., allow DDNS from clients internally but not externally - which I would not allow internal clients to update the SOA directly - but allow ddns from only trusted devices - domain controllers for example.  All other clients update their dns entries via the dhcp servers).

- Allow for record duplication or allow for records to be shown externally which may not work if you present your internal zone externally (ie., You are using RFC 1918 for your internal addressing, or domain.com has all your registered domain controllers. However, your marketing team would like to have domain.com resolve to your external facing website as well as www.domain.com.

- Split dns does have some drawbacks which are mentioned above.  Split dns does add complexity to your dns architecture.  Split dns can also cause some resolution problems if not done correctly.  

However, DNS &  Bind by Cricket Liu is a very good book besides the BOG (Bind operations Guide) and Split dns is an architecture which is heavily accepted in the DNS world.

There is more information and you may ping me directly if needed.

I have done many split dns implementations in my life time and have rarely run into problems.  The gain from security through obscurity out weights the administration burden.

Douglas
0
 

Author Closing Comment

by:Network_Padawan
ID: 34254862
Thanks guys, thats great I understand completely now. Appreciate the detailed responses.
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question