Setting up Split Brain DNS

Question

Can someone please help me with the following

I believe it may not be possible without using DNS Policies (am using Windows 2019), even then I see an issue which I will explain below.

Basically I want to do the same thing the writer of the following post wanted to do

https://social.msdn.microsoft.com/Forums/en-US/b1bfc0d6-aa31-43e2-80e7-c3a2cd4c63e2/setting-up-splitbrain-dns-the-other-way-around?forum=winserverNIS

The answer to the above post says it was not possible, but I am just creating my post in case things have changed or there is a way, let me explain

I have 50 2019 Windows AD domain controllers (also acting as DNS servers, e.g. AD integrated DNS)

The company I work for has an external DNS zone (looked after by an external DNS provider) which we shall call MyDomain.com

There is a requirement for three DNS host records to resolve to Internal (10.x.x.x) addresses for example host1.MyDomain.com, host2.MyDomain.com and host3.MyDomain.com
these host records will 'not' be used externally (internal host names only).

Now I could add these to the external DNS servers, but this would be a bad ideas as it would expose internal hostnames and their internal IP addresses on a public DNS namespace

If I create a new Primary zone on my DNS servers internally with the same name MyDomain.com then add the above three hosts. When I do DNS resolution internally I can resolve these three hosts but that is all any other host names that are present in that zone hosts externally are not resolved as the DNS server just drops the request because it is the SOA (Primary zone) and it does not hold such a record.

Question 1)
What I wanted to achieve was for the DNS server (even though it considers itself the SOA for the zone) to forward the query to the internet DNS servers if it did not find the particular host record for the zone. However judging from the answer to the above post it looks like this is not possible, can someone please advise?

Question 2)
The other option may be DNS policies, but from what I have read DNS policies (server 2016 and above) creates a 'local flat file' on the DNS server itself as part of the overall solution. I believe (please correct me if wrong) this flat file does not get automatically replicated to the other DNS servers. That would mean setting up and maintaining the same DNS policies on 50 domain controllers which is messy. In any event would DNS policies solve my problem I am trying to address here?

Thank you

Answer 1

Hi @Charlie Melga

I'm sorry to say things haven't changed.

Question 1: this is not possible

Question 2: with dns policies you can use ad integrated zones rather than flat files to replicate the a zonescope, however, you do need to enter the powershell policy command on each server, as not all the commands are replicated to the other DCs, and doing it remotely doesn't always work. Having said that dns policies are probably not going to solve your problem, unless you are planning to use your ad dns server to host and resolve external dns requests. Not something I would recommend.

The simplest option but not pretty, is to create the Mydomain.com on your DCs and replicate all the entries from the external zone, you can include the local host entries without the need to use dns policies. Obviously you will need to keep the internal zone in sync with the external one. If the zone already exists internally then this might not be possible.

Gary.

Answer 2

I know this is an old question, but I'm surprised by the response.
While adding mydomain.com as a Primary Zone does indeed break resolution for all other records, I've always just added the hostname itself as a Primary Zone instead. For example, host1.mydomain.com would be its own Primary Zone, and you would set the root A record to be your internal IP address.
This way, those hostnames resolve internally, but all other mydomain.com lookups will be forwarded on to the external DNS hosts as normal.