In the corporate segment there are IS or information systems whose task is to provide storage, processing and transmission of data for the company's business processes. Often they can be divided for internal and external users. The division itself can be at the application level, where there are rights and roles, or network.
The second option prevents possible attacks on internal users and is a more organic solution that will separate the IS servers of the DMZ zone and the internal network segment while preserving our DNS name. Let's look at the situation in more detail!
What is DNS Split?
DNS Split is a technology that adds a logical level of abstraction in the form of policies and associated zones over the server. Now instead of just storing records in domain name system and giving them to resolvers.
It analyses the scope or area of the zone from which the client is accessing and returns the corresponding record according to its address. To understand the algorithm we will assume that the zone is a domain name, and it has child objects scope or area. Which will split the internal and external addresses, consider the example of DNS Windows.
How do I configure DNS Split on a server?
Note that DNS must have configured interfaces on the network from which to receive requests. Suppose we have a resource called dodo.so that we need to configure it to resolve from different WAN and LAN segment addresses.
Microsoft offers two ways to separate all queries: to explicitly specify the necessary client subnets and bind them with policies to the scope of zones, or to bind DNS-server interfaces to the scope with the same policies. Let's implement the second way.
If you don't have a DNS zone yet, open Server Manager through Windows search. Select DNS in the left menu by right clicking on it, then DNS Manager. Right click on the server again and select New Zone, where you specify your new domain for the Windows DNS server.
Now go to the terminal or press the Win+X shortcut where you will select PowerShell (administrator):
The zone is there, now we need a scope, for this we will prescribe:
Add-DnsServerZoneScope -ZoneName "dodo.so" -Name "ext"
Also, by default, there is a default scope that can be used to handle the rest of the queries. Let's make A-type entries, for two different scopes:
DnsServerResourceRecord -ZoneName " dodo.so " -A -Name "www " -IPv4Address "192.168.1.2” -ZoneScope "ext"
And now that we have all the scopes with their respective entries, we can bind them to the server interfaces with policies:
Add-DnsServerQueryResolutionPolicy -Name "Policy-Ext" -Action ALLOW -ServerInterface "eq,192.168.1.3" -ZoneScope "ext,1" -ZoneName dodo.so
Well after all the necessary interfaces are bound we can check the entries with the nslookup command:
nslookup 192.168.1.2 192.168.1.3
The result is a DNS server that has logical abstractions configured to keep a single resource name for different network segments.
If you don't have sufficient resources than you can perform actions on powerful cloud servers. Serverspace provides isolated VPS / VDS servers for common and virtualize usage.
Conclusion
Configuring Split-Brain DNS on Windows Server allows organizations to manage internal and external DNS resolution efficiently while maintaining a single domain name. This setup enhances security by separating internal corporate network traffic from external requests, reduces the risk of exposing sensitive internal resources, and ensures that clients always receive the correct IP addresses based on their network location. By using zone scopes and query resolution policies, administrators can create a flexible and scalable DNS architecture that supports complex corporate environments.
FAQ
- Q1: What is Split-Brain DNS and why is it used?
A1: Split-Brain DNS is a method of configuring DNS so that the same domain name resolves to different IP addresses depending on whether the request comes from an internal or external network. It is used to enhance security and manage traffic between corporate and external networks. - Q2: Can Split-Brain DNS work with multiple internal subnets?
A2: Yes, you can define multiple zone scopes and bind them to different internal subnets using query resolution policies, allowing precise control over which clients receive which records. - Q3: Do I need separate DNS servers for internal and external networks?
A3: Not necessarily. Split-Brain DNS allows a single DNS server to handle both internal and external requests by using zone scopes and policies, though separate servers can be used for added security. - Q4: How can I verify that Split-Brain DNS is working correctly?
A4: You can use the nslookup command from different network segments to check that each client receives the correct IP address according to its location. - Q5: Is Split-Brain DNS only for Windows Server?
A5: While this guide focuses on Windows Server, Split-Brain DNS can also be implemented on other DNS platforms, such as BIND on Linux, using similar zone and policy concepts.