About Split DNS

by [Published on 4 Nov. 2006 / Last Updated on 4 Nov. 2006]

QUESTION:

Hello,

I read some of your articles about split DNS and decided to create a test environment in my house to test it. Therefore I got one public IP address from ISP which is now connected to my linksys WRT54G router and built a small internal network hidden behind Nat. Next I registered public domain and so far I keep it in my ISP's DNS servers. Finally I installed virtual PC and built a few W2k3 virtual severs.

My intend is to use one of them to be a local domain controller and local DNS and other to be public DNS server not connected to my domain which will have port 53 or all ports (DMZ) published outside through my router. The public domain name I registered and local domain name must be the same. As soon as I understand split DNS solution and if the above configuration is possible to exist (with one external IP address and linksys router) I want to configure POP3 and SMTP services on local network and to build a very simple mail system. I need to do it in test/lab environment as one of my friends wants to have it in his company.
He can't afford to buy ISA so we have to count on the conditions I described above.

I would need to know if it is possible to build at all and if it is how to configure network cards on public DNS server also how to make it provide an information for external users about email services in internal network. I believe that more complex environments are usually easier to configure but the budget is rather small and my knowledge is still apparently not to big
either :)

I would be grateful for any clues,

Regards,

Mateusz

 

ANSWER:

I'm always happy to hear about new split DNS deployments! ISA Firewalls aren't required for a split DNS. A split DNS is very easy to setup, once you understand why you want to deploy it and get the basics down.

First, if you're using Windows DNS servers, you will need two DNS servers -- one for the private part of the split DNS and another for the public part of the split DNS.

On the private DNS server (which can be your DC), you enter names and private IP addresses that are used by hosts on the internal network to reach servers on the internal network. Internal hosts never use the external DNS server.

On the public DNS server, you enter names and public addresses that are used to reach published resources on your internal network. In the example you give above, you only have one public address, so all names in your public DNS will resolve to the same IP address. You will use that address so that incoming connection that are reversed NATed into your DMZ or internal network are forwarded from that address to the internal address.

External users will never use the internal DNS server and will never have access to the Internal DNS server (unless they're VPN clients, but that's another story).

That's all there is to it! Internal hosts are configured to use the internal DNS server and external hosts are automatically going to use the external DNS server, because you've configured your external IP address to be your authoritative DNS server with your domain registrar.

Of course, if you don't have a dedicated public IP address, this won't work. In that case, you can use a DDNS provider, such as TZO (www.tzo.com) to provide your public DNS. It will work just the same as if you hosted your own DNS server, but TZO will handle the changes in your public records when your IP address changes.

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org

Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7

Email: tshinder@isaserver.org

MVP — Microsoft Firewalls (ISA)

Add Review or Comment

Featured Links