Announcement

Collapse
No announcement yet.

DNS best practice (split-brain)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS best practice (split-brain)

    I've recently created a new domain (something.com) in a new forest. It now includes half-dozen servers (multiple DC's, trust with another forest) I'm using it under Hyper-V mostly for testing purposes. An Exchange 2010 and an internet facing IIS servers are also part of it (25 and 80 are currently the only open ports on my router).

    I've been reading up on DNS and it apears I've done it the wrong way (split-brain) since I'm using something.com for my internal as well as external network. By reading it's not only more complex tos; administer but al hhhso less secure. Could someone provide some guidance on:

    -how I should have done it to begin with (something.net/something.local for internal and something.com for external?)
    -how big of a security risk, management nightmare my current setup is and are there any steps to reduce it.
    -if a domain will only be internally facing is something.local the recommended way to go? What if it needs to be externaly excessible (Exchange,IIS) down the line does that represent any issues?

    Thank you in advance to anyone that can help me out.

  • #2
    Re: DNS best practice (split-brain)

    Originally posted by CypherBit View Post
    [SIZE=2]

    -how I should have done it to begin with (something.net/something.local for internal and something.com for external?)
    What you did is not wrong, just another way of setting up DNS.

    -how big of a security risk, management nightmare my current setup is and are there any steps to reduce it.
    Unless port 53 is open to the internet there is no risk.

    -if a domain will only be internally facing is something.local the recommended way to go? What if it needs to be externaly excessible (Exchange,IIS) down the line does that represent any issues?
    external access is not the issue with split-brain DNS, the issue comes from internal users accessing resources on the internet.

    .local is not recommended, anything else would be ok.
    ad.something.com
    corp.something.com
    something.int
    something.internal

    Comment


    • #3
      Re: DNS best practice (split-brain)

      Originally posted by CypherBit View Post
      [SIZE=2]-how I should have done it to begin with (something.net/something.local for internal and something.com for external?)
      In Microsoft's opinion, at least for their Active Directory design exam materials, they often use examples of a company using their external domain with an internal only subdomain. For example Contoso.com is the externally accessible name but corp.Contoso.com or HQ.contoso.com is the internal Active Directory forest root domain. The argument about what to name your internal Active Directory domain is as old as Active Directory itself. Using a private subdomain is very doable and plenty of places use this scheme.

      Originally posted by CypherBit View Post
      -if a domain will only be internally facing is something.local the recommended way to go?
      The concern for some people (including me) is that .local could very well be registered some day since top level domains have been recently released for virtually anyone with enough cash to reserve. RFC 2606 only reserves these four TLDs: .example, .invalid, .localhost and .test. None of them are semantically suitable to create a production internal domain. Having said that, I've worked in one place that used the .local TLD for the internal AD domain and also used the .local TLD for a new SBS 2008 domain. Microsoft now seems to be forcing SBS networks to keep using the .local domain which makes me think that MSFT is at least not against the practice (yes, you can change the .local TLD in SBS 08 with an answer file when installing the server). Maybe Microsoft will be kind enough to register the .local domain publically and then mothball it for safe keeping.


      Originally posted by CypherBit View Post
      What if it needs to be externaly excessible (Exchange,IIS) down the line does that represent any issues?
      That doesn't cause any problems. Just open the proper firewall ports and point them to the proper servers.
      Last edited by Nonapeptide; 27th June 2009, 19:46.
      Wesley David
      LinkedIn | Careers 2.0
      -------------------------------
      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
      Vendor Neutral Certifications: CWNA
      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

      Comment


      • #4
        Re: DNS best practice (split-brain)

        Originally posted by Garen View Post
        What you did is not wrong, just another way of setting up DNS.
        OK, I'm just starting to prepare for 70-640 and the MS material states it shouldn't be done this way, I've seen it elsewhere where they used that exact approach and just wanted to make sure I'm not doing something wrong.

        Originally posted by Garen View Post
        Unless port 53 is open to the internet there is no risk.
        In which cases would I even need the DNS server to be accessible externaly (and the port would be opened).

        Originally posted by Garen View Post
        external access is not the issue with split-brain DNS, the issue comes from internal users accessing resources on the internet.

        .local is not recommended, anything else would be ok.
        ad.something.com
        corp.something.com
        something.int
        something.internal
        Could you provide some examples of what kind of issues with internal users accessing resources on the internet?

        OK, I assume .local is not recommended for the issues also outlined by Nonapeptide.


        Originally posted by Nonapeptide View Post
        In Microsoft's opinion, at least for their Active Directory design exam materials, they often use examples of a company using their external domain with an internal only subdomain. For example Contoso.com is the externally accessible name but corp.Contoso.com or HQ.contoso.com is the internal Active Directory forest root domain. The argument about what to name your internal Active Directory domain is as old as Active Directory itself. Using a private subdomain is very doable and plenty of places use this scheme.
        I see. In the materials I'm reading now they have contoso.net for internal and contoso.com for external.

        Originally posted by Nonapeptide View Post
        The concern for some people (including me) is that .local could very well be registered some day since top level domains have been recently released for virtually anyone with enough cash to reserve. RFC 2606 only reserves these four TLDs: .example, .invalid, .localhost and .test. None of them are semantically suitable to create a production internal domain. Having said that, I've worked in one place that used the .local TLD for the internal AD domain and also used the .local TLD for a new SBS 2008 domain. Microsoft now seems to be forcing SBS networks to keep using the .local domain which makes me think that MSFT is at least not against the practice (yes, you can change the .local TLD in SBS 08 with an answer file when installing the server). Maybe Microsoft will be kind enough to register the .local domain publically and then mothball it for safe keeping.
        Makes sense.

        Originally posted by Nonapeptide View Post
        That doesn't cause any problems. Just open the proper firewall ports and point them to the proper servers.
        OK.


        Thank you both, as stated I'm just preparing for the 70-640 and am learning as I go.

        Comment


        • #5
          Re: DNS best practice (split-brain)

          Originally posted by CypherBit View Post
          I see. In the materials I'm reading now they have contoso.net for internal and contoso.com for external.
          Out of curiosity, which materials are you using? I used MS Press almost exclusively. (Great sleeping aids, BTW -- I say this as I'm nodding off doing practice exam questions for the 70-297 )
          Wesley David
          LinkedIn | Careers 2.0
          -------------------------------
          Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
          Vendor Neutral Certifications: CWNA
          Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
          Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

          Comment


          • #6
            Re: DNS best practice (split-brain)

            Originally posted by Nonapeptide View Post
            Out of curiosity, which materials are you using? I used MS Press almost exclusively. (Great sleeping aids, BTW -- I say this as I'm nodding off doing practice exam questions for the 70-297 )
            I'm using MS Press as well, just the 70-640.

            I'll list what they stated about the split-brain syndrome:
            - one of the basic tenants of networking is the seperation of the internal network from the internet. The most common mechanism for this is a firewall.
            - if one uses the same names for internal and external network (for example contoso.com - they state that this is by no means a best practice) you have to implement a spli-brain DNS, since you need to maintain two namespaces for two purposes accross the firewall (which is very complex). DNS admins would need to manage separation manually between the internal and the external name resolution mechanisms.
            - if for example contoso.net and contoso.com would be used DNS admins wouldn't need to do anything since the fact they use different roots automatically segregates it.

            Comment


            • #7
              Re: DNS best practice (split-brain)

              MS documentation usually assumes an enterprise environment. In this case one with many public servers.

              In most cases a split-brain DNS involves no more complexity then dropping an "A" record for "www" pointing to the public IP of your web server.

              Also note if you register something.com, but use something.net as your AD domain then make sure you also register that.

              Comment


              • #8
                Re: DNS best practice (split-brain)

                Originally posted by Garen View Post
                Also note if you register something.com, but use something.net as your AD domain then make sure you also register that.
                Thanks Garen, they do state that in the literature as well, could you perhaps elaborate why this is the case.

                Comment


                • #9
                  Re: DNS best practice (split-brain)

                  Using split brain DNS can simplfy internally hosted resouces such as a SSL website, by having a single publically signed SSL cert that has a valid DNS name both internally and externally.

                  For some more $$ a Cert which can have additional names can be used instead of course, or even a router/firewall with NAT loopback, but sometimes having another tool in your arsenal saves the day.

                  Comment


                  • #10
                    Re: DNS best practice (split-brain)

                    Dawson thanks for the tip.

                    Comment

                    Working...
                    X