Windows Server DNS Policy split-brain 3

Source: Internet
Author: User
Tags define dns

In DNS management may encounter such problems, for example, a company's DNS is provided to the intranet users to resolve the use, but also provided to the public network users to resolve the use, but may not be used by the intranet users, or the public network users use a few, resulting in one party may only use a few records, However, they have to maintain a separate DNS server, in the past, security considerations can only do this, deploy multiple DNS servers, but to the way DNS support split deployment, define DNS policy, implement different network adapters assume different DNS query requests, such as can be defined, Usually through the intranet interface in the query to go through the DNS network card, through the external network card in the query to go out of DNS network card. This makes it very well to isolate DNS queries on a single server.


Here we will simulate such a scenario, Contoso is a game company, intranet users need to access OA, million network users need to access the game official website, at the same time by the same DNS to undertake internal and external network requests, intranet users come in and out of the intranet interface, extranet users come in and out of the network interface other than the interface.



Introduction to the experimental environment


16DNS: Assume the DNS server, set up in the company headquarters, set up two network cards one to provide services internally, an external service

IP Address: 80.0.0.8 gw:80.0.0.1

IP Address: 90.0.0.9 gw:90.0.0.1

WEB01: Undertake intranet OA Office Server, also undertake the connection headquarters DNS, intranet, external network client routing

IP address 1:80.0.0.1

IP address 2:90.0.0.1

IP address 3:100.0.0.1 DNS 80.0.0.8

WEB02: Undertake external website Web server, IP address: 90.0.0.2 gw:90.0.0.1

internal : Emulate intranet employee IP address: 80.0.0.100  gw:80.0.0.1 DNS: 80.0.0.8

internet : Imitate the external network game User IP address: 90.0.0.100 gw:90.0.0.1 dns:90.0.0.9


Assuming that the 90 network is a public network, 16DNS is deploying DNS for splitting


The client subnet range is not created because we are using an interface for isolation


Create an "internal logical range" directly

Add-dnsserverzonescope-zonename "eip.com"-name "internal"


650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M01/92/D2/wKioL1kDTCSwipfvAACshxtsbMg249.jpg "title=" 2017-04-28_220457.jpg "alt=" Wkiol1kdtcswipfvaacshxtsbmg249.jpg "/>

Add a host record that provides services to the public network

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/92/D2/wKioL1kDTQuAA9KfAACGQGmzoSM097.jpg "title=" 2017-04-28_220900.jpg "alt=" Wkiol1kdtquaa9kfaacgqgmzosm097.jpg "/>

Add host records for the server on the intranet and join the internal zonescope zone

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/92/D3/wKioL1kDUBDz3ECTAACm7O08InU471.jpg "title=" 2017-04-28_222130.jpg "alt=" Wkiol1kdubdz3ectaacm7o08inu471.jpg "/>


Create DNS policy, define all the DNS server 80.0.0.8 this interface to do the query, all dropped to the intranet OA server responsible for response

Add-dnsserverqueryresolutionpolicy-name "Splitbrainzonepolicy"-action allow-serverinterface "eq,80.0.0.8"- Zonescope "internal,1"-zonename "eip.com"

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/92/D4/wKiom1kDUUizKTFlAABcj3vghTU086.jpg "title=" 2017-04-28_222659.jpg "alt=" Wkiom1kduuizktflaabcj3vghtu086.jpg "/>

By default, if you create a DNS policy that is based on the interface judgment, other interfaces that are not matched by the protocol are automatically taken by the other available interface, except that the request that already matches the interface will go according to the protocol.


Log in to the internal internal machine and you can see that DNS is already set up as an internal interface 80.0.0.8


650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/92/D3/wKioL1kDUwmCKjhRAAHcHn73gpw578.jpg "title=" 2017-04-28_223423.jpg "alt=" Wkiol1kduwmckjhraahchn73gpw578.jpg "/>


Access www.eip.com automatically jump to intranet OA server responsible for response


650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/92/D3/wKioL1kDUy3jrAhLAADnxJxWx1M513.jpg "title=" 2017-04-28_223432.jpg "alt=" Wkiol1kduy3jrahlaadnxjxwx1m513.jpg "/>


Log on to the outside of the Internet machine, you can see that DNS has been set to the external interface 90.0.0.9


650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/92/D5/wKiom1kDU2mwrlRGAAF_XXQwavg627.jpg "title=" 2017-04-28_223611.jpg "alt=" Wkiom1kdu2mwrlrgaaf_xxqwavg627.jpg "/>


Access www.eip.com Auto Jump to extranet Portal Server responsible for response


650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M00/92/D5/wKiom1kDU5CAfbicAAEqFG7TIsQ318.jpg "title=" 2017-04-28_223649.jpg "alt=" Wkiom1kdu5cafbicaaeqfg7tisq318.jpg "/>

Can see the DNS server is very smart, has been based on the client's request to allocate a different interface to respond to query requests, assuming the company wants to use the same domain name, internal and external network access response to different pages, through this function can be very good implementation.

This article from "a Stubborn island" blog, reproduced please contact the author!

Windows Server DNS Policy split-brain 3

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.