Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Understanding the purpose of a split-brain DNS

Posted on 2010-11-26
Medium Priority
Last Modified: 2012-05-10
I have come across the concept of a split-brain DNS, and I can not seem to understand its purpose or in which situation one would set one up.

As I understand it, split DNS is when you have a DNS server exposed in your DMZ and another in your internal network. In my production environment, we have only internal (Private) DNS servers which resolve the hosts in the DMZ and private network which works well and if a client needs to resolve a name over the internet, the root hints go out via the known public dns servers for resolution.

If someone can please explain this concept to me and why anyone would configure such a setup I would greatly appreciate it. I have read many articles on the web but still the practicality of such a setup eludes me.
Question by:Network_Padawan
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 34220240
Also wanted to add, that for clients to resolve our hosting services, the hosts are registered via netregistry, so why would anyone want an external DNS?

Assisted Solution

Blake_1 earned 332 total points
ID: 34220884
Perhaps the most common implementation of split DNS is when you have a server inside the network or DMZ which provides a service both internally and to clients located on the Internet.

For instance, you have a server called 'website.company.com' which people access both internally and externally using the URL http://website.company.com.  On the internal network it has an IP address of, which is fine for people inside the company's firewall but cannot be accessed by Internet clients.  For this reason it has an Internet-facing IP (possibly NAT'ed from a firewall) of

In the above scenario, website.company.com needs to be able to resolve to both and  It also need to do this based on where the requests are coming from.  The simplest means of doing this is to create a zone for 'company.com' on your corporate DNS server for the 192.x address, and publish the record for the 203.x address using an Internet DNS service.

If 'website.company.com' was hosted by a third party and is therefore external to your company's network then there is no need for the split DNS zone to be configured.

LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 332 total points
ID: 34221570

Split Brain means having two entirely separate DNS Authorities (denoted by the NS record) for the same namespace (zone / domain). It does not differentiate between public and private servers, but it is perhaps the common occurrence there. That is, it can happen when someone builds an AD Domain with the same name as a public domain.

The immediate downside to split-brain is that if you need a record to resolve in both versions of the domain then it must be manually added to both versions of the zone.

If we look at the AD vs public zone instance it is very hard to mix the two zones in a way that'll leave you with a correctly configured DNS system.

For instance, AD likes:

 - Dynamic Updates
 - AD Integrated zones (you lose control of the SOA record here)
 - Lots of Service Records (not harmful, but messy for a public zone, I could build a picture of your internal domain using them)
 - IP addressing relative to the network it uses (i.e. Private IP addresses for records)
 - Ownership of the "domain.com" Host (A) record (required if AD is to work, meaning you cannot have http://domain.com)

And public DNS zones need:

 - A correct SOA record
 - Correct NS Records (only referring to public IP addresses)

Personally I try to avoid Split-Brain except for specific record overrides; where I need something to resolve to an internal IP within my network, for instance (also possible using DNS Doctoring on Firewalls). It's still common though, in some cases it's because people don't realise the impact, thinking only that "domain.com" is a pretty name for AD.


Accepted Solution

InterframeGap earned 336 total points
ID: 34223539
Hi -
Besides the good answers above some of the reasons for having split dns are (at least from my point of view)
- Hide your internal dns structure from the external world (ie., Domain Controllers, internal clients) and only present devices which are internet facing only (routeable ip addresses NO rfc 1918 addresses).

- Provide different security schemes internally vs externally (ie., allow DDNS from clients internally but not externally - which I would not allow internal clients to update the SOA directly - but allow ddns from only trusted devices - domain controllers for example.  All other clients update their dns entries via the dhcp servers).

- Allow for record duplication or allow for records to be shown externally which may not work if you present your internal zone externally (ie., You are using RFC 1918 for your internal addressing, or domain.com has all your registered domain controllers. However, your marketing team would like to have domain.com resolve to your external facing website as well as www.domain.com.

- Split dns does have some drawbacks which are mentioned above.  Split dns does add complexity to your dns architecture.  Split dns can also cause some resolution problems if not done correctly.  

However, DNS &  Bind by Cricket Liu is a very good book besides the BOG (Bind operations Guide) and Split dns is an architecture which is heavily accepted in the DNS world.

There is more information and you may ping me directly if needed.

I have done many split dns implementations in my life time and have rarely run into problems.  The gain from security through obscurity out weights the administration burden.


Author Closing Comment

ID: 34254862
Thanks guys, thats great I understand completely now. Appreciate the detailed responses.

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question