Thursday, February 3, 2011

Split Brain DNS and DNS forwarding

Hi All

This maybe unusual question but I would like to find out if this is possible.

We have several security zones behind firewall, let's call them LAN, DMZ and Backend.

There is a DNS server (bind, servername is ns1.domain.com) in DMZ zone, set as split DNS.I.e. it resolves domain.com public addresses to the request made from the Internet and private NATed addresses for same domain.com domain to the requests coming from the LAN and Backend.

It all works fine, however now I am introducing Windows 2008 AD into the Backend as server base grows and managing SAM databases is not an option anymore.Windows domain name is DOMAIN.COM.I realise that this may be confusing setup but this is done to keep things simple in the naming department.
Naturally this requires using Windows DNS which is on the same AD.DOMAIN.COM server.
DNS zones on this server work fine and I have set up a forwarder for ns1.domain.com for any internet related queries.
Now the question. If I want to resolve host located in the DMZ NATed subnet from th windows host in the Backend(i.e. use internal part of the split brain DMZ) , how do I make sure that requests for whatever_is_not_in_windows_domain.com_zone".domain.com are forwarded to the internal split brain DMZ?Is it possible at all? I realise that I can hardcode them into the windows dns server zone, but this looks like a workaround, not a solution...
Hopefully I was clear enough :)

From serverfault Sergei

  • I don't think this is possible, AD.DOMAIN.COM believes it is the authoritative source for this domain and will respond with NXDOMAIN no matter what.
    I would really advice you to create a subdomain to put your AD into. As your setup grows this will become a bigger problem and manually adding hosts to both zones doesn't seem like a nice task.

    It would be possible to run a Active Directory with a BIND DNS server.
    What you could do is merge the zones and allow updates from the AD.DOMAIN.COM server.
    However this requires the DOMAIN.COM zone to be a dynamic zone.

    Sergei : This is an interesting idea.Where can I read more about it?
    faker : http://technet.microsoft.com/en-us/library/dd316373.aspx#ECAA The only non-obvious option you will need to set in your zone is "check-names ignore;".
    Evan Anderson : +1 - Naming your Active Directory domain "domain.com" is a mistake. You're going against Microsoft-recommended best practices. Running BIND for your DNS for the Active Directory domain is an option, but you still have an ugly situation. Be aware that, in order for Group Policy to work properly, the "domain.com" name must resolve to the IP address of the domain controller computer(s), for example.
    Sergei : Thank you Evan, what is exactly done against best practises?What is solution - have a subdomain?
    Sergei : Or totally different domain like domain.corp?
    From faker

  • I don't think this is possible. The backend Windows dns server is authoratative for domain.com and therefore won't forward requests for domain.com to another dns server. I think your only choice is to add static entries for the DMZ machines into the backend domain.com zone.

    From joeqwerty
Posted by Mu Cat at 8:56 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)