Configuring Split-Brain DNS on Windows Server / Windows / Windows Server / Configuring Split-Brain DNS on Windows Server

Split Brain DNS allows you to configure the DNS server to return different responses depending on the request source address (IP subnet). In this post, we will look at how to configure Split DNS on Windows Server using DNS policies (supported on Windows Server 2016 and newer).

Suppose your task is to configure DNS to return one IP address ( for a web server called AppPortal01 for internal users and another IP address ( for external users (from subnet).

In this case, it is assumed that the web server is configured to accept connections from both IP addresses.

Connect to the Windows Server running the DNS Server role and open the PowerShell console.

Create a DNS subnet for external users:

Add-DnsServerClientSubnet -Name "ExtSubnet" -IPv4Subnet "" -PassThru

Then create a separate scope in your DNS zone:

Add-DnsServerZoneScope -ZoneName "" -Name "External"

Add an A record in the DNS zone for your web server and bind it to the External zone:

Add-DnsServerResourceRecord -ZoneName ""-A -Name "AppPortal01" -IPv4Address -ZoneScope "External"

List entries in the external DNS scope:

Get-DnsServerResourceRecord -ZoneName "" -ZoneScope "External"

You are now ready to create a split-brain DNS policy:

Configure Split Brain DNS on Windows Server

Add-DnsServerQueryResolutionPolicy -Name "SplitDNSExternalWebPolicy" -Action ALLOW -ClientSubnet "eq,ExtSubnet" -ZoneName "" -ZoneScope "External" -PassThru

If the user now tries to resolve the name AppPortal01 from the subnet, the DNS server will return the IP address However, when resolving this name from any other subnet, the DNS server returns a different webserver IP address.

If you have multiple Windows Server DNS servers on your network (usually these are AD domain controllers), you must create the same Split Brain DNS policy on each of them. This is because DNS policies are not replicated between servers.

Leave a Reply

Your email address will not be published. Required fields are marked *