Apply DNS Policy for Split-Brain DNS Deployment

  • Article
  • viii minutes to read

Applies to: Windows Server 2022, Windows Server 2022, Windows Server 2022

You can use this topic to learn how to configure DNS policy in Windows Server® 2022 for carve up-brain DNS deployments, where there are two versions of a single zone - 1 for the internal users on your organization intranet, and one for the external users, who are typically users on the Internet.

Previously, this scenario required that DNS administrators maintain two different DNS servers, each providing services to each set of users, internal and external. If only a few records inside the zone were split-brained or both instances of the zone (internal and external) were delegated to the same parent domain, this became a management puzzler.

Another configuration scenario for split-brain deployment is Selective Recursion Control for DNS proper noun resolution. In some circumstances, the Enterprise DNS servers are expected to perform recursive resolution over the Cyberspace for the internal users, while they too must act as administrative name servers for external users, and block recursion for them.

This topic contains the following sections.

  • Example of DNS Split up-Encephalon Deployment
  • Example of DNS Selective Recursion Command

Instance of DNS Dissever-Encephalon Deployment

Following is an instance of how you can employ DNS policy to reach the previously described scenario of split-brain DNS.

This section contains the post-obit topics.

  • How DNS Split-Brain Deployment Works
  • How to Configure DNS Divide-Brain Deployment

This case uses ane fictional company, Contoso, which maintains a career Web site at www.career.contoso.com.

The site has two versions, ane for the internal users where internal job postings are bachelor. This internal site is bachelor at the local IP address ten.0.0.39.

The 2nd version is the public version of the aforementioned site, which is available at the public IP address 65.55.39.10.

In the absence of DNS policy, the administrator is required to host these two zones on dissever Windows Server DNS servers and manage them separately.

Using DNS policies these zones can now be hosted on the same DNS server.

The following illustration depicts this scenario.

Split-Brain DNS Deployment

How DNS Split-Brain Deployment Works

When the DNS server is configured with the required DNS policies, each name resolution request is evaluated confronting the policies on the DNS server.

The server Interface is used in this example as the criteria to differentiate betwixt the internal and external clients.

If the server interface upon which the query is received matches whatever of the policies, the associated zone scope is used to answer to the query.

Then, in our example, the DNS queries for www.career.contoso.com that are received on the private IP (x.0.0.56) receive a DNS response that contains an internal IP address; and the DNS queries that are received on the public network interface receive a DNS response that contains the public IP address in the default zone telescopic (this is the same as normal query resolution).

How to Configure DNS Split up-Encephalon Deployment

To configure DNS Split-Brain Deployment by using DNS Policy, you lot must employ the following steps.

  • Create the Zone Scopes
  • Add Records to the Zone Scopes
  • Create the DNS Policies

The following sections provide detailed configuration instructions.

Important

The post-obit sections include example Windows PowerShell commands that contain example values for many parameters. Ensure that you replace example values in these commands with values that are appropriate for your deployment before you run these commands.

Create the Zone Scopes

A zone telescopic is a unique instance of the zone. A DNS zone tin have multiple zone scopes, with each zone telescopic containing its own prepare of DNS records. The aforementioned record tin can be present in multiple scopes, with different IP addresses or the aforementioned IP addresses.

Note

Past default, a zone scope exists on the DNS zones. This zone scope has the aforementioned name as the zone, and legacy DNS operations work on this scope. This default zone telescopic will host the external version of www.career.contoso.com.

You can employ the following example control to partition the zone scope contoso.com to create an internal zone scope. The internal zone scope volition be used to keep the internal version of www.career.contoso.com.

Add-DnsServerZoneScope -ZoneName "contoso.com" -Name "internal"

For more information, meet Add-DnsServerZoneScope

Add together Records to the Zone Scopes

The next step is to add the records representing the Web server host into the two zone scopes - internal and default (for external clients).

In the internal zone scope, the record www.career.contoso.com is added with the IP address 10.0.0.39, which is a private IP; and in the default zone telescopic the aforementioned record, www.career.contoso.com, is added with the IP accost 65.55.39.10.

No –ZoneScope parameter is provided in the following case commands when the record is existence added to the default zone scope. This is similar to adding records to a vanilla zone.

Add-DnsServerResourceRecord -ZoneName "contoso.com" -A -Name "www.career" -IPv4Address "65.55.39.x" Add-DnsServerResourceRecord -ZoneName "contoso.com" -A -Proper noun "www.career" -IPv4Address "10.0.0.39" -ZoneScope "internal"

For more information, see Add-DnsServerResourceRecord.

Create the DNS Policies

After you take identified the server interfaces for the external network and internal network and you lot have created the zone scopes, you must create DNS policies that connect the internal and external zone scopes.

Note

This case uses the server interface every bit the criteria to differentiate between the internal and external clients. Another method to differentiate between external and internal clients is by using customer subnets equally a criteria. If you can place the subnets to which the internal clients belong, you can configure DNS policy to differentiate based on client subnet. For information on how to configure traffic management using client subnet criteria, see Utilise DNS Policy for Geo-Location Based Traffic Management with Primary Servers.

When the DNS server receives a query on the private interface, the DNS query response is returned from the internal zone telescopic.

Annotation

No policies are required for mapping the default zone scope.

In the following instance command, ten.0.0.56 is the IP address on the private network interface, every bit shown in the previous analogy.

Add-DnsServerQueryResolutionPolicy -Name "SplitBrainZonePolicy" -Action Allow -ServerInterface "eq,10.0.0.56" -ZoneScope "internal,1" -ZoneName contoso.com

For more information, see Add-DnsServerQueryResolutionPolicy.

Example of DNS Selective Recursion Control

Following is an instance of how you tin can utilize DNS policy to accomplish the previously described scenario of DNS selective recursion control.

This section contains the following topics.

  • How DNS Selective Recursion Control Works
  • How to Configure DNS Selective Recursion Control

This example uses the aforementioned fictional company every bit in the previous case, Contoso, which maintains a career Web site at www.career.contoso.com.

In the DNS carve up-brain deployment instance, the same DNS server responds to both the external and internal clients and provides them with unlike answers.

Some DNS deployments might require the aforementioned DNS server to perform recursive name resolution for internal clients in improver to interim equally the authoritative name server for external clients. This circumstance is called DNS selective recursion command.

In previous versions of Windows Server, enabling recursion meant that it was enabled on the whole DNS server for all zones. Considering the DNS server is also listening to external queries, recursion is enabled for both internal and external clients, making the DNS server an open resolver.

A DNS server that is configured equally an open resolver might exist vulnerable to resources exhaustion and can exist abused past malicious clients to create reflection attacks.

Because of this, Contoso DNS administrators do not want the DNS server for contoso.com to perform recursive proper noun resolution for external clients. In that location is only a need for recursion control for internal clients, while recursion control can be blocked for external clients.

The following illustration depicts this scenario.

Selective Recursion Control

How DNS Selective Recursion Command Works

If a query for which the Contoso DNS server is not-authoritative is received, such as for https://world wide web.microsoft.com, and then the name resolution asking is evaluated against the policies on the DNS server.

Because these queries do not fall under whatever zone, the zone level policies (as divers in the split-encephalon example) are not evaluated.

The DNS server evaluates the recursion policies, and the queries that are received on the private interface match the SplitBrainRecursionPolicy. This policy points to a recursion scope where recursion is enabled.

The DNS server then performs recursion to get the answer for https://world wide web.microsoft.com from the Cyberspace, and caches the response locally.

If the query is received on the external interface, no DNS policies match, and the default recursion setting - which in this case is Disabled - is applied.

This prevents the server from acting as an open resolver for external clients, while it is acting every bit a caching resolver for internal clients.

How to Configure DNS Selective Recursion Control

To configure DNS selective recursion control past using DNS Policy, you must apply the following steps.

  • Create DNS Recursion Scopes
  • Create DNS Recursion Policies

Create DNS Recursion Scopes

Recursion scopes are unique instances of a group of settings that control recursion on a DNS server. A recursion scope contains a list of forwarders and specifies whether recursion is enabled. A DNS server can have many recursion scopes.

The legacy recursion setting and list of forwarders are referred to as the default recursion telescopic. You lot cannot add or remove the default recursion scope, identified by the name dot (".").

In this instance, the default recursion setting is disabled, while a new recursion scope for internal clients is created where recursion is enabled.

              Fix-DnsServerRecursionScope -Name . -EnableRecursion $Imitation Add-DnsServerRecursionScope -Name "InternalClients" -EnableRecursion $True

For more information, see Add-DnsServerRecursionScope

Create DNS Recursion Policies

You can create DNS server recursion policies to choose a recursion scope for a set of queries that match specific criteria.

If the DNS server is not authoritative for some queries, DNS server recursion policies allow you to control how to resolve the queries.

In this example, the internal recursion scope with recursion enabled is associated with the private network interface.

You tin can use the following instance control to configure DNS recursion policies.

              Add together-DnsServerQueryResolutionPolicy -Proper noun "SplitBrainRecursionPolicy" -Activity ALLOW -ApplyOnRecursion -RecursionScope "InternalClients" -ServerInterfaceIP "EQ,10.0.0.39"

For more information, see Add-DnsServerQueryResolutionPolicy.

Now the DNS server is configured with the required DNS policies for either a split-brain name server or a DNS server with selective recursion control enabled for internal clients.

You tin create thousands of DNS policies according to your traffic direction requirements, and all new policies are applied dynamically - without restarting the DNS server - on incoming queries.

For more information, see DNS Policy Scenario Guide.