Solved

Understanding the purpose of a split-brain DNS

Posted on 2010-11-26
5
1,977 Views
Last Modified: 2012-05-10
I have come across the concept of a split-brain DNS, and I can not seem to understand its purpose or in which situation one would set one up.

As I understand it, split DNS is when you have a DNS server exposed in your DMZ and another in your internal network. In my production environment, we have only internal (Private) DNS servers which resolve the hosts in the DMZ and private network which works well and if a client needs to resolve a name over the internet, the root hints go out via the known public dns servers for resolution.

If someone can please explain this concept to me and why anyone would configure such a setup I would greatly appreciate it. I have read many articles on the web but still the practicality of such a setup eludes me.
0
Comment
Question by:Network_Padawan
5 Comments
 

Author Comment

by:Network_Padawan
ID: 34220240
Also wanted to add, that for clients to resolve our hosting services, the hosts are registered via netregistry, so why would anyone want an external DNS?
0
 
LVL 5

Assisted Solution

by:Blake_1
Blake_1 earned 83 total points
ID: 34220884
Perhaps the most common implementation of split DNS is when you have a server inside the network or DMZ which provides a service both internally and to clients located on the Internet.

For instance, you have a server called 'website.company.com' which people access both internally and externally using the URL http://website.company.com.  On the internal network it has an IP address of 192.168.10.1, which is fine for people inside the company's firewall but cannot be accessed by Internet clients.  For this reason it has an Internet-facing IP (possibly NAT'ed from a firewall) of 203.10.10.10.

In the above scenario, website.company.com needs to be able to resolve to both 192.168.10.1 and 203.10.10.10.  It also need to do this based on where the requests are coming from.  The simplest means of doing this is to create a zone for 'company.com' on your corporate DNS server for the 192.x address, and publish the record for the 203.x address using an Internet DNS service.

If 'website.company.com' was hosted by a third party and is therefore external to your company's network then there is no need for the split DNS zone to be configured.

Questions?
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 83 total points
ID: 34221570

Split Brain means having two entirely separate DNS Authorities (denoted by the NS record) for the same namespace (zone / domain). It does not differentiate between public and private servers, but it is perhaps the common occurrence there. That is, it can happen when someone builds an AD Domain with the same name as a public domain.

The immediate downside to split-brain is that if you need a record to resolve in both versions of the domain then it must be manually added to both versions of the zone.

If we look at the AD vs public zone instance it is very hard to mix the two zones in a way that'll leave you with a correctly configured DNS system.

For instance, AD likes:

 - Dynamic Updates
 - AD Integrated zones (you lose control of the SOA record here)
 - Lots of Service Records (not harmful, but messy for a public zone, I could build a picture of your internal domain using them)
 - IP addressing relative to the network it uses (i.e. Private IP addresses for records)
 - Ownership of the "domain.com" Host (A) record (required if AD is to work, meaning you cannot have http://domain.com)

And public DNS zones need:

 - A correct SOA record
 - Correct NS Records (only referring to public IP addresses)

Personally I try to avoid Split-Brain except for specific record overrides; where I need something to resolve to an internal IP within my network, for instance (also possible using DNS Doctoring on Firewalls). It's still common though, in some cases it's because people don't realise the impact, thinking only that "domain.com" is a pretty name for AD.

Chris
0
 
LVL 3

Accepted Solution

by:
InterframeGap earned 84 total points
ID: 34223539
Hi -
Besides the good answers above some of the reasons for having split dns are (at least from my point of view)
- Hide your internal dns structure from the external world (ie., Domain Controllers, internal clients) and only present devices which are internet facing only (routeable ip addresses NO rfc 1918 addresses).

- Provide different security schemes internally vs externally (ie., allow DDNS from clients internally but not externally - which I would not allow internal clients to update the SOA directly - but allow ddns from only trusted devices - domain controllers for example.  All other clients update their dns entries via the dhcp servers).

- Allow for record duplication or allow for records to be shown externally which may not work if you present your internal zone externally (ie., You are using RFC 1918 for your internal addressing, or domain.com has all your registered domain controllers. However, your marketing team would like to have domain.com resolve to your external facing website as well as www.domain.com.

- Split dns does have some drawbacks which are mentioned above.  Split dns does add complexity to your dns architecture.  Split dns can also cause some resolution problems if not done correctly.  

However, DNS &  Bind by Cricket Liu is a very good book besides the BOG (Bind operations Guide) and Split dns is an architecture which is heavily accepted in the DNS world.

There is more information and you may ping me directly if needed.

I have done many split dns implementations in my life time and have rarely run into problems.  The gain from security through obscurity out weights the administration burden.

Douglas
0
 

Author Closing Comment

by:Network_Padawan
ID: 34254862
Thanks guys, thats great I understand completely now. Appreciate the detailed responses.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now