I have read this article on split-DNS: http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html. I think I understand the concept, but to set up the optimal solution suggested in the article I need to control the DNS servers on "the outside" (which I cannot in my case).

My scenario is as follows: one internal domain called corp.local. One public domain called corp.com. I have a web site on the address www.corp.com, which actually points to a published server on the domain corp.local. I would like to publish this web server to internal clients as well (clients on the domain corp.local), without them going to the external IP and back. So I just setup a new zone on the DNS server the internal clients (corp.local) are using called corp.com, and add an entry for www.corp.com, this time pointing to a internal IP address.

To my problem: I have a lot of other entries on the external web server which should be left as they are. I know I could just copy and maintain two DNS servers, but ideally I would like this:

Case 1

  1. Internal client asks for www.corp.com.
  2. The Internal DNS server looks if it has an entry for www.corp.com.
  3. It has, so it answers with the internal IP address for www.corp.com.

Case 2

  1. Internal client asks for someother.corp.com.
  2. The Internal DNS server looks if it has an entry for someother.corp.com, and it finds none.
  3. It then forwards the request to the external DNS server, to see if that has an entry defined for someother.corp.com.
  4. The external DNS server responds back to the Internal DNS server with the external IP for someother.corp.com.
  5. The Internal DNS server responds back to the Internal client.

What happens in reality for Case 2 is that the Internal DNS server thinks it is authoritive for the zone corp.com (which it kind of is), and if it does not find a record for someother.corp.com it responds to the client with a negative answer.

Hope I made myself clear, looking forward to your input! Thanks in advance! Also, I'm running Windows domain with Windows DNS servers (Windows Server 2008).

  • 137
  • 1
  • 4
  • Possible duplication of this question: http://serverfault.com/questions/188948/split-brain-dns-and-dns-forwarding – gravyface Oct 21 '10 at 12:13
  • I need to clarify something here: for your internal users/DNS Server, do you want to forward requests for *.corp.com to your external DNS server, while www.corp.com and .corp.com resolve to your internal IP? Or are you trying to forward _any_ requests to *.corp.com that do not resolve locally to your external DNS server, i.e. you may have an A record for foo.corp.com that resolves internally by the internal DNS server, but if you asked for bar.corp.com, which doesn't resolve, it would get forwarded to the external DNS server? – gravyface Oct 21 '10 at 13:06
  • ignore the italics... must've forgot to close the tag. – gravyface Oct 21 '10 at 13:07
  • oh and it should read "do you want to forward requests for .corp.com to your external..." in the first line. Having a rough go at it today. – gravyface Oct 21 '10 at 13:08
  • I want to do exactly as you've written, "have an A record for foo.corp.com that resolves internally by the internal DNS server, but if you asked for bar.corp.com, which doesn't resolve, it would get forwarded to the external DNS server". I'm not sure I understand what you want clarified here.. what's the difference between the mentioned case and "do you want to forward requests for *.corp.com to your external DNS server, while www.corp.com and .corp.com resolve to your internal IP"? Thanks for your input! – jos Oct 22 '10 at 13:54

2 Answers2


This is a little bit of a hack - and i've only done it with bind, but it works.

Create a new zone called www.corp.com then create and @ record for the zone to be the internal IP address of your website.

This will make the DNS server think it is authoritative for the "zone" www.corp.com and return the @ record when people request www.corp.com. It will pass the rest of *.corp.com out to your normal public DNS servers for a recursive lookup and return the external IP.

  • 36,995
  • 5
  • 52
  • 95
  • The asker wants to forward any NXDOMAIN'ed request for *.corp.com to the external DNS server, so this won't work. He doesn't want to maintain two zone configurations for corp.com. – gravyface Oct 21 '10 at 12:58
  • @gravyface you've missed the point - this (very hacky) configuration makes the internal server _only_ authoritative for www.corp.com (and subdomains thereof). Resolution for anything else in *.corp.com should follow the normal resolution path. – Alnitak Oct 21 '10 at 13:09
  • Right, and you can do that in Windows DNS too, but I think the asker wants to be selective, depending on whether there's an answer or not locally i.e. foo.corp.com resolves internally, bar.corp.com resolves internally, but foobar.corp.com does not resolve internally, so it gets forwarded to the external DNS server. – gravyface Oct 21 '10 at 13:33
  • I think this solution might work actually. What do you mean the problem is here gravyface? foo.corp.com will resolve internally if there's an @ record on the internal DNS server, and so will bar.corp.com. These records would actually be individual zones, so the internal DNS server will not be authorative for the whole domain corp.com. When foobar.corp.com is requested, the internal DNS server will forward the request, as it is not authoritive for the zone corp.com (only bar.corp.com and foo.corp.com). Am I missing something? – jos Oct 22 '10 at 14:02
  • @jos yep it will work, I've had to do it in a couple of places , for other reasons but same result. – Zypher Oct 22 '10 at 14:16
  • @gravyface it's not taking action on NXDOMAIN it's just forwarding stuff it's not authoritative for to the authoritative servers. So same result as if you could somehow get the DNS server to not return NXDOMAIN but forward the request instead ... – Zypher Oct 22 '10 at 14:21
  • I guess I was thinking that he needed a zone internally for corp.com as well. – gravyface Oct 22 '10 at 14:52

If you use Unbound as a recursive server you can get it to reply for specific local data using the local-zone and local-data directives, and forward any unknown entries to an external server.

local-zone: corp.com. transparent
local-data: "www.corp.com. IN A www.xxx.yyy.zzz"

The manual page is at http://www.unbound.net/documentation/unbound.conf.html

  • 20,901
  • 3
  • 48
  • 81