Split Brain DNS and DNS forwarding

windows domain-name-system split-dns

This maybe unusual question but I would like to find out if this is possible.

We have several security zones behind firewall, let's call them LAN, DMZ and Backend.

There is a DNS server (bind, servername is ns1.domain.com) in DMZ zone, set as split DNS.I.e. it resolves domain.com public addresses to the request made from the Internet and private NATed addresses for same domain.com domain to the requests coming from the LAN and Backend.

It all works fine, however now I am introducing Windows 2008 AD into the Backend as server base grows and managing SAM databases is not an option anymore.Windows domain name is DOMAIN.COM.I realise that this may be confusing setup but this is done to keep things simple in the naming department.
Naturally this requires using Windows DNS which is on the same AD.DOMAIN.COM server.
DNS zones on this server work fine and I have set up a forwarder for ns1.domain.com for any internet related queries.
Now the question. If I want to resolve host located in the DMZ NATed subnet from th windows host in the Backend(i.e. use internal part of the split brain DMZ) , how do I make sure that requests for whatever_is_not_in_windows_domain.com_zone".domain.com are forwarded to the internal split brain DMZ?Is it possible at all? I realise that I can hardcode them into the windows dns server zone, but this looks like a workaround, not a solution...
Hopefully I was clear enough :)


Solution 1:

I don't think this is possible, AD.DOMAIN.COM believes it is the authoritative source for this domain and will respond with NXDOMAIN no matter what.
I would really advice you to create a subdomain to put your AD into. As your setup grows this will become a bigger problem and manually adding hosts to both zones doesn't seem like a nice task.

It would be possible to run a Active Directory with a BIND DNS server.
What you could do is merge the zones and allow updates from the AD.DOMAIN.COM server.
However this requires the DOMAIN.COM zone to be a dynamic zone.

Solution 2:

I don't think this is possible. The backend Windows dns server is authoratative for domain.com and therefore won't forward requests for domain.com to another dns server. I think your only choice is to add static entries for the DMZ machines into the backend domain.com zone.

Related

Trouble enabling display_error in php.ini
HP ProLiant ML310e G8 v2 ssd
Ansible - jenkins plugin failing on Google Container Engine (GKE) - infinite loop with ingress
Apache on localhost: give virtual hosts specific servers name
Is there any way to persist files for a web application using Amazon AWS without a full VM?
Configuring SQL Server Express 2005
How do you recover from a zimbra crash?
Efficient way of having a function only execute once in a loop
How to project a point onto a plane in 3D?
How can I count the number of elements with same class?
Which is the best way to check for the existence of an attribute? [duplicate]
How to use RWMutex?