• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2289
  • Last Modified:

Understanding the purpose of a split-brain DNS

I have come across the concept of a split-brain DNS, and I can not seem to understand its purpose or in which situation one would set one up.

As I understand it, split DNS is when you have a DNS server exposed in your DMZ and another in your internal network. In my production environment, we have only internal (Private) DNS servers which resolve the hosts in the DMZ and private network which works well and if a client needs to resolve a name over the internet, the root hints go out via the known public dns servers for resolution.

If someone can please explain this concept to me and why anyone would configure such a setup I would greatly appreciate it. I have read many articles on the web but still the practicality of such a setup eludes me.
0
Network_Padawan
Asked:
Network_Padawan
3 Solutions
 
Network_PadawanAuthor Commented:
Also wanted to add, that for clients to resolve our hosting services, the hosts are registered via netregistry, so why would anyone want an external DNS?
0
 
Blake_1Commented:
Perhaps the most common implementation of split DNS is when you have a server inside the network or DMZ which provides a service both internally and to clients located on the Internet.

For instance, you have a server called 'website.company.com' which people access both internally and externally using the URL http://website.company.com.  On the internal network it has an IP address of 192.168.10.1, which is fine for people inside the company's firewall but cannot be accessed by Internet clients.  For this reason it has an Internet-facing IP (possibly NAT'ed from a firewall) of 203.10.10.10.

In the above scenario, website.company.com needs to be able to resolve to both 192.168.10.1 and 203.10.10.10.  It also need to do this based on where the requests are coming from.  The simplest means of doing this is to create a zone for 'company.com' on your corporate DNS server for the 192.x address, and publish the record for the 203.x address using an Internet DNS service.

If 'website.company.com' was hosted by a third party and is therefore external to your company's network then there is no need for the split DNS zone to be configured.

Questions?
0
 
Chris DentPowerShell DeveloperCommented:

Split Brain means having two entirely separate DNS Authorities (denoted by the NS record) for the same namespace (zone / domain). It does not differentiate between public and private servers, but it is perhaps the common occurrence there. That is, it can happen when someone builds an AD Domain with the same name as a public domain.

The immediate downside to split-brain is that if you need a record to resolve in both versions of the domain then it must be manually added to both versions of the zone.

If we look at the AD vs public zone instance it is very hard to mix the two zones in a way that'll leave you with a correctly configured DNS system.

For instance, AD likes:

 - Dynamic Updates
 - AD Integrated zones (you lose control of the SOA record here)
 - Lots of Service Records (not harmful, but messy for a public zone, I could build a picture of your internal domain using them)
 - IP addressing relative to the network it uses (i.e. Private IP addresses for records)
 - Ownership of the "domain.com" Host (A) record (required if AD is to work, meaning you cannot have http://domain.com)

And public DNS zones need:

 - A correct SOA record
 - Correct NS Records (only referring to public IP addresses)

Personally I try to avoid Split-Brain except for specific record overrides; where I need something to resolve to an internal IP within my network, for instance (also possible using DNS Doctoring on Firewalls). It's still common though, in some cases it's because people don't realise the impact, thinking only that "domain.com" is a pretty name for AD.

Chris
0
 
InterframeGapCommented:
Hi -
Besides the good answers above some of the reasons for having split dns are (at least from my point of view)
- Hide your internal dns structure from the external world (ie., Domain Controllers, internal clients) and only present devices which are internet facing only (routeable ip addresses NO rfc 1918 addresses).

- Provide different security schemes internally vs externally (ie., allow DDNS from clients internally but not externally - which I would not allow internal clients to update the SOA directly - but allow ddns from only trusted devices - domain controllers for example.  All other clients update their dns entries via the dhcp servers).

- Allow for record duplication or allow for records to be shown externally which may not work if you present your internal zone externally (ie., You are using RFC 1918 for your internal addressing, or domain.com has all your registered domain controllers. However, your marketing team would like to have domain.com resolve to your external facing website as well as www.domain.com.

- Split dns does have some drawbacks which are mentioned above.  Split dns does add complexity to your dns architecture.  Split dns can also cause some resolution problems if not done correctly.  

However, DNS &  Bind by Cricket Liu is a very good book besides the BOG (Bind operations Guide) and Split dns is an architecture which is heavily accepted in the DNS world.

There is more information and you may ping me directly if needed.

I have done many split dns implementations in my life time and have rarely run into problems.  The gain from security through obscurity out weights the administration burden.

Douglas
0
 
Network_PadawanAuthor Commented:
Thanks guys, thats great I understand completely now. Appreciate the detailed responses.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now