Organizations that use a public DNS zone name, such as tailwindtraders.net, for their organization’s internal host names, perhaps even using it with their organization’s Active Directory instance, generally have to configure what is known as split-brain DNS.
Split-Brain or Split-Horizon DNS provides different information about the contents of a DNS zone based on the location that the DNS query originates. For example, a DNS query for the host www.tailwindtraders.net might return a public IP address result for a host on the internet and a private IP address for hosts on the organization’s internal network.
In the past, some organizations would deploy separate DNS servers hosting different copies of the same zone to achieve a split-brain configuration. A DNS server on an internal network would host a version of the zone that had all hostname mappings with the IP addresses that should be returned to internal clients. A DNS server on the perimeter network, or even hosted at the ISP, would host the version of the zone that returned hostnames with public IP addresses.
You can implement split brain DNS on Windows Server 2016 and Windows Server 2019 using two new features known as DNS policies and DNS Zone scopes. DNS policies allow you to customize DNS server responses based on the properties of the requestor. DNS Zone scopes allow you to create different subset collections of DNS zone records, with each zone supporting multiple zone scopes and DNS records being able to be members of multiple zone scopes.
When creating a DNS policy to implement split brain DNS, you need to first configure DNS zone scopes with one zone scope containing the host records that should be returned to an external client and another DNS zone scope containing host records that should be returned to internal clients. Once you have these two zone scopes, you then need to configure DNS policies, one to return records from DNS zone scope to be used by external clients, the other to return records from the DNS zone scope to be used by internal clients.
When you create a DNS policy, you can specify how clients are identified as internal on the basis of client IP address or the network adapter that the request arrives on. If your DNS server has two network adapters, one of which is connected to a perimeter network and another which is connected to the internal network, network interface based policies are the best option. If the DNS server only has a single network adapter, you’ll need to use client subnets.
Usual practice is to place all records that should be available to clients on the public internet into the default zone scope and all records that should be available to internal clients in the internal scope. Once this is done, create a policy that allows access to the internal scope only for queries originating on the internal network interface or client subnets.
You create query resolution policies with the Add-DNSServerQueryResolutionPolicy cmdlet. For example, to create a policy named SplitPolicy that directs clients that address the DNS server on the server interface 172.16.10.10 to the zone scope Internal for the zone tailwindtraders.net, run the command:
Add-DNSServerQueryResolutionPolicy -Name “SplitPolicy” -Action ALLOW -ServerInterface “eq,172.16.10.10” -ZoneScope “Internal,1” -ZoneName “tailwindtraders.net”
To get more detail on the process of creating split brain or split horizon zones on DNS servers running Windows Server 2016 or Windows Server 2019, consult the following docs.microsoft.com article: https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/split-brain-dns-deployment?WT….