Setting up Split Brain DNS

Charlie Melga 126 Reputation points

Can someone please help me with the following

I believe it may not be possible without using DNS Policies (am using Windows 2019), even then I see an issue which I will explain below.

Basically I want to do the same thing the writer of the following post wanted to do

The answer to the above post says it was not possible, but I am just creating my post in case things have changed or there is a way, let me explain

I have 50 2019 Windows AD domain controllers (also acting as DNS servers, e.g. AD integrated DNS)

The company I work for has an external DNS zone (looked after by an external DNS provider) which we shall call

There is a requirement for three DNS host records to resolve to Internal (10.x.x.x) addresses for example, and
these host records will 'not' be used externally (internal host names only).

Now I could add these to the external DNS servers, but this would be a bad ideas as it would expose internal hostnames and their internal IP addresses on a public DNS namespace

If I create a new Primary zone on my DNS servers internally with the same name then add the above three hosts. When I do DNS resolution internally I can resolve these three hosts but that is all any other host names that are present in that zone hosts externally are not resolved as the DNS server just drops the request because it is the SOA (Primary zone) and it does not hold such a record.

Question 1)
What I wanted to achieve was for the DNS server (even though it considers itself the SOA for the zone) to forward the query to the internet DNS servers if it did not find the particular host record for the zone. However judging from the answer to the above post it looks like this is not possible, can someone please advise?

Question 2)
The other option may be DNS policies, but from what I have read DNS policies (server 2016 and above) creates a 'local flat file' on the DNS server itself as part of the overall solution. I believe (please correct me if wrong) this flat file does not get automatically replicated to the other DNS servers. That would mean setting up and maintaining the same DNS policies on 50 domain controllers which is messy. In any event would DNS policies solve my problem I am trying to address here?

Thank you

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,035 questions
0 comments No comments
{count} votes

Accepted answer
  1. Gary Reynolds 9,406 Reputation points

    Hi @Charlie Melga

    I'm sorry to say things haven't changed.

    Question 1: this is not possible

    Question 2: with dns policies you can use ad integrated zones rather than flat files to replicate the a zonescope, however, you do need to enter the powershell policy command on each server, as not all the commands are replicated to the other DCs, and doing it remotely doesn't always work. Having said that dns policies are probably not going to solve your problem, unless you are planning to use your ad dns server to host and resolve external dns requests. Not something I would recommend.

    The simplest option but not pretty, is to create the on your DCs and replicate all the entries from the external zone, you can include the local host entries without the need to use dns policies. Obviously you will need to keep the internal zone in sync with the external one. If the zone already exists internally then this might not be possible.


    0 comments No comments

0 additional answers

Sort by: Most helpful