Split Brain DNS allows you to configure the DNS server to return different responses depending on the request source address (IP subnet). In this post, we will look at how to configure Split DNS on Windows Server using DNS policies (supported on Windows Server 2016 and newer).
Suppose your task is to configure DNS to return one IP address (192.168.1.6) for a web server called AppPortal01
for internal users and another IP address (172.22.10.6) for external users (from 172.22.10.0/24 subnet).
Connect to the Windows Server running the DNS Server role and open the PowerShell console.
Create a DNS subnet for external users:
Add-DnsServerClientSubnet -Name "ExtSubnet" -IPv4Subnet "172.22.10.0/26" -PassThru
Then create a separate scope in your DNS zone:
Add-DnsServerZoneScope -ZoneName "poweradm.com" -Name "External"
Add an A record in the DNS zone for your web server and bind it to the External zone:
Add-DnsServerResourceRecord -ZoneName "poweradm.com"-A -Name "AppPortal01" -IPv4Address 172.22.10.6 -ZoneScope "External"
List entries in the external DNS scope:
Get-DnsServerResourceRecord -ZoneName "poweradm.com" -ZoneScope "External"
You are now ready to create a split-brain DNS policy:
Add-DnsServerQueryResolutionPolicy -Name "SplitDNSExternalWebPolicy" -Action ALLOW -ClientSubnet "eq,ExtSubnet" -ZoneName "poweradm.com" -ZoneScope "External" -PassThru
If the user now tries to resolve the name AppPortal01 from the 172.22.10.0/24 subnet, the DNS server will return the IP address 172.22.10.6. However, when resolving this name from any other subnet, the DNS server returns a different webserver IP address.
If you have multiple Windows Server DNS servers on your network (usually these are AD domain controllers), you must create the same Split Brain DNS policy on each of them. This is because DNS policies are not replicated between servers.