Microsoft Exchange and Blackberry Server Specialists

Split DNS

Short URL: http://semb.ee/splitdns

On This Page

  • Introduction - Why Use a Split DNS System
  • Types of Split DNS System
  • Requirements
  • Configuration Instructions - Single Host Replacement
  • Configuration Instructions - Zone Replacement Method
  • Common Problems with this Setup
  • Questions

 

Introduction - Why Use a Split DNS System?

If you are using a different domain name internally than on the Internet, or have resources internally that are available to the Internet, you may find that you have difficultly connecting to them as the name resolution doesn't return the correct answer.

Examples could be:

  • Your web mail service which you want to work on a single address of webmail.example.com instead of http://servername
  • Your external web site which everyone should be entering in the form www.example.com
  • You are deploying Exchange 2007 or higher with a commercial SSL certificate that does not contain the internal server names
  • You are using Exchange ActiveSync and want clients on the wireless network to work without having to change settings.
  • You are using a single name SSL certificate with Exchange 2007 and higher.
  • You have clients connecting to Exchange 2007 and higher, on your internal network , but NOT members of the domain.

What you need to do is setup a "split DNS" environment.

This is where different results are returned to the client depending on their location - on local network or the Internet.

From November 2015, you will no longer be able to get trusted SSL certificates with internal (eg .local) domain names on them. Therefore a split DNS configuration will be almost mandatory for Exchange 2007 and higher implemetnations.

Types of Split DNS System

There are two different ways to operate a split DNS system:

  1. Replace a single host name in your public DNS
  2. Replace the entire subnet.

If you want to replace the resolution of one or two hosts, then the single host name is best for you, and works well with .local or other non-resolvable domain and with dynamic DNS services. This is the solution usually deployed for use with Exchange 2007 and higher and is also how SBS 2008 and 2011 setup their DNS when configured with the wizards.
If you have lots of hosts or have all of the resources in-house, then the zone replacement method is the best choice, and may already be in use and just needs some additional hosts.

You will need to use the zone replacement method if

  • If your WINDOWS domain is the same name as the INTERNET domain.
  • If your WINDOWS domain is the same name as someone else on the internet.
  • You want to use the SRV record method for autodiscover on Exchange 2007 or higher
  • You want to replace the MX records with a host using a different name.

Requirements

To setup a split DNS system requires the following:

  • Private DNS server - such as your AD DNS server.
    If you are using your DNS server to answer queries from the Internet then you will need to change this. If it is the same DNS server that hosts your Active Directory domain information then that is a big security risk. Your best option is to put it back with the domain name registrar. They will have servers that conform to the RFC standards for DNS servers. If your domain name registrar doesn't offer DNS services move to one that does or use a third party name server hosting service. The market is awash with domain name companies that it shouldn't be too difficult to find one that provides the services you need.
  • A domain name that is used on the internet.
  • For the zone replacement method you will also need your Internet host information.
    For example if you have a web site hosted outside of your network then you will need its PUBLIC IP address.
    Similarly if you have an ftp site, you will need that as well.
    The quickest way is to ping the addresses - preferably from a machine outside of your network and then record the IP addresses returned.
    You do NOT need the external IP addresses of anything that is hosted inside and has an internal IP address.

Configuration Instructions - Single Host Replacement

Setting up a New Zone

  1. On your primary DNS server, start the DNS administration tool.
  2. Right click on the server and choose New Zone.
  3. Step through the wizard. You need a FORWARD primary zone that is NOT AD integrated (you may have to deselect an option).
  4. When asked for the domain name, enter the host that you want to replace.
    For example if you want to replace owa.example.com then you would enter owa.example.com.
  5. Accept the option about creating a file.
  6. As this is not an AD integrated zone, disable dynamic updates.

Adding a Host

Creating the zone is not enough, you need to have a single blank A record in the zone so that something resolves.

  1. Right click on the new zone that you have just created
  2. Choose "New Host (A)". If it is greyed out, double click on the zone and try again.
  3. Leave the host name entry blank.
  4. Enter the internal IP address for the web site.
  5. Press OK.

If you are using the same host name for your MX records, then note that internally they will resolve to the IP address that you have just entered. For Exchange 2003, that will not be a problem unless you have disabled SMTP on a frontend server. On Exchange 2007 if you have a separate Hub Transport Servers and Client Access Servers it could be an issue. You may want to consider using a different host name for your MX records, so that internally they can point at different servers.

Configuration Instructions - Zone Replacement Method

  • If you already have a WINDOWS domain that matches the name used on the Internet and you just wish to add host names for Internet based resources you can skip down to "Adding Internet Based Resources."
  • If you already have a Windows domain that matches the name used on the Internet and you just wish to allow access to local resources that are also available over the Internet you can skip down to "Adding Local Resources Also Available on the Internet".

In these examples we are using example.com as the external domain

Setting up a New Zone

  1. On your primary DNS server, start the DNS administration tool.
  2. Right click on the server and choose New Zone.
  3. Step through the wizard. You need a FORWARD primary zone that is NOT AD integrated (you may have to deselect an option).
  4. Enter the domain name when prompted.
    For example if your web site is www.example.com then you would enter example.com.
  5. Accept the option about creating a file.
  6. As this is not an AD integrated zone, disable dynamic updates.

Adding Internet Based Resources

  1. Right click on the new zone that you have just created, or is pre-existing.
  2. Choose "New Host (A)". If it is greyed out, double click on the zone and try again.
  3. Enter the name that you need to add, minus the domain name.
    For example if you want to add your web site which is on www.example.com then you would just enter "www".
  4. Enter the external IP address for the web site.
  5. Press OK.
  6. Repeat for any other services that you might have on the Internet.
    You do NOT have to add entries for MX records for your domain as your email system will not be looking for these as it will know that it is responsible for that domain.

REMEMBER: After you have made this addition to your DNS the server will no longer lookup DNS information for this domain from the Internet. If there are any changes to the Internet IP addresses then you will need to update your internal DNS server as well.

Adding Local Resources Also Available on the Internet

  1. Right click on the new zone that you have just created, or is pre-existing.
  2. Choose "New Host (A)". If it is greyed out, double click on the zone and try again.
  3. Enter the name that you need to add, minus the domain name.
    For example if you want to add your web site which is on www.example.com then you would just enter "www".
  4. Enter the internal IP address for the web site.
  5. Press OK.
  6. Repeat for any other resources that you have locally that are also available on the Internet.

Common Problems with this Setup

There are a few common issues with this setup which can stop it from working.

  • Host files
    If the "hosts" file has been setup with entries which are different then that can cause odd results as the hosts file overrides what is found by DNS.
  • External DNS servers in the network configuration
    For this setup to work, all clients inside the network need to be using ONLY the internal DNS servers for DNS. No external DNS servers should be listed anywhere. If you need to use external DNS for successful name resolution configure forwarders in the DNS server setup.
  • Proxy Server in the Browser
    If you are using a proxy server then that can also cause unexpected results. The internal hosts should be on the exclusion list.

Questions

Q: I am using a Dynamic IP address. How can I have the same name both internally and externally if my external IP address is changing.
A: You will need to use a Dynamic DNS service. The same process will apply as we have written here for managing MX records on a dynamic IP address.

Q: What hosts do I need to enter for use with Exchange 2007 and higher?
A: You need to have whatever name you are using for OWA - such as owa.example.com or mail.example.com. If you have clients on the internal network who are not members of the domain, then you should also add autodiscover.example.com as another host so that they work correct as well.

Q: Should I select the option to "Create an associated pointer (PTR) record" ?
A: No, you shouldn't set that option as the hosts will most likely already have a record that is AD integrated.