3

We have a split brain DNS scenario in our company where we have the same entries pointing towards different IPs.

Example1:
Internal DNS: email.company.net (A) 172.20.1.1
External DNS: email.company.net (A) 22.191.72.18

So email is just one of the few entries that we have to 'split'. We do have alot of other DNS entries in our public DNS zone, that need to remain the same in the internal zone as well. Lets have a look at another example:

Example2:
Internal DNS: video.company.net (A) -not present-
External DNS: video.company.net (A) 22.191.72.49

So when i want to access videoportal.company.net from inside the company, the DNS server reports that it has not found a DNS entry for that query. In order for it to work, i'd have to recreate all the external DNS entries on the internal DNS zone as well and maintain all those records over the time as well. This causes alot of duplicate work. What i'd like to do is following:

Create a zone with some entries in it and assign it a policy that says: "resolve what you can find in there, but forward anything you cannot find to your resolvers/root hints"

Is there something like this that can be done with policies? How is such a functionality even called?

I know that i can create a zone with email.company.net and a empty A record inside. This forwards any somethingelse.company.net record still externally. The reason i ask is much more complicated and i wanted to ask a question as short as possible. So just assume that this solution does not apply here right now. I would appreciate if you could concentrate on the question above.

Edit: So in the end, the internal DNS server should do something like this:

  • DNS server gets request from client for email.company.net
  • DNS server does a lookup in his internal zone company.net
  • DNS server gives back IP 172.20.1.1 to the client
  • DNS server gets request from client for video.company.net
  • DNS server does a lookup in his internal zone company.net
  • DNS server does not find an entry for video.company.net
  • DNS server then does a recursive lookup via his root hints
  • DNS server ultimately gets the answer and gives back IP 22.191.72.49 to the client
Mario Jost
  • 133
  • 3
  • Your question isn't quite clear, but for your example #2 above I would set both internal and external to 22.191.72.49. Your DNS server should already have forwarding setup. – Larryc Sep 29 '20 at 16:19
  • That is the point of the question. I dont want to maintain the same entries in both zones. I will clarify the question further... – Mario Jost Sep 30 '20 at 07:31
  • I added an exampe at the end of my post... – Mario Jost Sep 30 '20 at 07:35
  • If your DNS is authoritative for Company.net, when you get to this point: "DNS server does not find an entry for video.company.net" then DNS gives up and returns "Not Found". Those are the rules of DNS. – Larryc Oct 01 '20 at 09:17

1 Answers1

0

Unfortunately, what you want is not possible; when you create a zone in the internal DNS server and define it as primary, the server will assume to be authoritative for that zone, and thus will answer to any request for records it doesn't know with "this record doesn't exist".

The only workaround is the one you already know: you can define sub-zones only for the records you actually want to mask, and then create empty records in them; empty records map to the full name of the zone, thus the end effect is the same, but such a zone will not mask all other names in the main zone, which will be resolved using standard recursion.

In your example, you should create a zone called email.company.net and then create an empty A record in it pointing to 172.20.1.1; internal queries for email.company.net will be answered with 172.20.1.1, but this will not affect queries for video.company.net, which will keep being resolved by querying the public DNS.

BTW, this trick doesn't work only for A records, but for any record which can be empty (such as SRV).

Massimo
  • 68,714
  • 56
  • 196
  • 319