Windows Server 101: Configuring Split-Brain DNS on Windows Server

Organizations that use a public DNS zone name, such as, for their organization's internal host names, perhaps even using it with their organization's instance, generally have to configure what is known as split-brain .

Split-Brain or Split-Horizon provides different information about the contents of a DNS zone based on the location that the DNS query originates. For example, a DNS query for the host might return a public IP address result for a host on the internet and a private IP address for hosts on the organization's internal .

In the past, some organizations would deploy separate DNS servers hosting different copies of the same zone to achieve a split-brain configuration. A DNS server on an internal would host a version of the zone that had all hostname mappings with the IP addresses that should be returned to internal clients. A DNS server on the perimeter , or even hosted at the ISP, would host the version of the zone that returned hostnames with public IP addresses.

You can implement split brain DNS on 2016 and 2019 using two new features known as DNS policies and DNS Zone scopes. DNS policies allow you to customize DNS server responses based on the properties of the requestor. DNS Zone scopes allow you to create different subset collections of DNS zone records, with each zone supporting multiple zone scopes and DNS records being able to be members of multiple zone scopes.

When creating a DNS policy to implement split brain DNS, you need to first configure DNS zone scopes with one zone scope containing the host records that should be returned to an external client and another DNS zone scope containing host records that should be returned to internal clients. Once you have these two zone scopes, you then need to configure DNS policies, one to return records from DNS zone scope to be used by external clients, the other to return records from the DNS zone scope to be used by internal clients.

When you create a DNS policy, you can specify how clients are identified as internal on the basis of client IP address or the network adapter that the request arrives on. If your DNS server has two network adapters, one of which is connected to a perimeter network and another which is connected to the internal network, network interface based policies are the best option. If the DNS server only has a single network adapter, you'll need to use client subnets.

Usual practice is to place all records that should be available to clients on the public internet into the default zone scope and all records that should be available to internal clients in the internal scope. Once this is done, create a policy that allows access to the internal scope only for queries originating on the internal network interface or client subnets.

You create query resolution policies with the Add-DNSServerQueryResolutionPolicy cmdlet. For example, to create a policy named SplitPolicy that directs clients that address the DNS server on the server interface to the zone scope Internal for the zone, run the command:

Add-DNSServerQueryResolutionPolicy -Name “SplitPolicy” -Action ALLOW -ServerInterface “eq,” -ZoneScope “Internal,1” -ZoneName “”

To get more detail on the process of creating split brain or split horizon zones on DNS servers running 2016 or Windows Server 2019, consult the following article:….


This article was originally published by Microsoft's Azure Blog. You can find the original article here.