29.11.2024

Configuring Split-Brain DNS in Windows Server

In the corporate segment there are IS or information systems whose task is to provide storage, processing and transmission of data for the company's business processes. Often they can be divided for internal and external users. The division itself can be at the application level, where there are rights and roles, or network.

The second option prevents possible attacks on internal users and is a more organic solution that will separate the IS servers of the DMZ zone and the internal network segment while preserving our DNS name. Let's look at the situation in more detail!

What is DNS Split?

DNS Split is a technology that adds a logical level of abstraction in the form of policies and associated zones over the server. Now instead of just storing records in domain name system and giving them to resolvers.

Screenshot №1 — Schema

It analyses the scope or area of the zone from which the client is accessing and returns the corresponding record according to its address. To understand the algorithm we will assume that the zone is a domain name, and it has child objects scope or area. Which will split the internal and external addresses, consider the example of DNS Windows.

How do I configure DNS Split on a server?

Note that DNS must have configured interfaces on the network from which to receive requests. Suppose we have a resource called dodo.so that we need to configure it to resolve from different WAN and LAN segment addresses.

Microsoft offers two ways to separate all queries: to explicitly specify the necessary client subnets and bind them with policies to the scope of zones, or to bind DNS-server interfaces to the scope with the same policies. Let's implement the second way.

If you don't have a DNS zone yet, open Server Manager through Windows search. Select DNS in the left menu by right clicking on it, then DNS Manager. Right click on the server again and select New Zone, where you specify your new domain for the Windows DNS server.

Now go to the terminal or press the Win+X shortcut where you will select PowerShell (administrator):

Screenshot №2 — Windows manager

The zone is there, now we need a scope, for this we will prescribe:

Add-DnsServerZoneScope -ZoneName "dodo.so" -Name "int"

Add-DnsServerZoneScope -ZoneName "dodo.so" -Name "ext"

Screenshot №3 — New Scope

Also, by default, there is a default scope that can be used to handle the rest of the queries. Let's make A-type entries, for two different scopes:

DnsServerResourceRecord -ZoneName "dodo.so" -A -Name "www" -IPv4Address "10.0.0.2” -ZoneScope "int"
DnsServerResourceRecord -ZoneName " dodo.so " -A -Name "www " -IPv4Address "192.168.1.2” -ZoneScope "ext"

Screenshot №4 — New resource record

And now that we have all the scopes with their respective entries, we can bind them to the server interfaces with policies:

Add-DnsServerQueryResolutionPolicy -Name "Policy-Int" -Action ALLOW -ServerInterface "eq,10.0.0.3" -ZoneScope "int,1" -ZoneName dodo.so

Add-DnsServerQueryResolutionPolicy -Name "Policy-Ext" -Action ALLOW -ServerInterface "eq,192.168.1.3" -ZoneScope "ext,1" -ZoneName dodo.so

Well after all the necessary interfaces are bound we can check the entries with the nslookup command:

nslookup 10.0.0.2 10.0.0.3
nslookup 192.168.1.2 192.168.1.3

The result is a DNS server that has logical abstractions configured to keep a single resource name for different network segments.

If you don't have sufficient resources than you can perform actions on powerful cloud servers. Serverspace provides isolated VPS / VDS servers for common and virtualize usage.

Screenshot №5 — Create Server