Windows Server DNS Policy split-brain 3

In DNS management may encounter such problems, for example, a company's DNS is provided to the intranet users to resolve the use, but also provided to the public network users to resolve the use, but may not be used by the intranet users, or the public network users use a few, resulting in one party may only use a few records, However, they have to maintain a separate DNS server, in the past, security considerations can only do this, deploy multiple DNS servers, but to the way DNS support split deployment, define DNS policy, implement different network adapters assume different DNS query requests, such as can be defined, Usually through the intranet interface in the query to go through the DNS network card, through the external network card in the query to go out of DNS network card. This makes it very well to isolate DNS queries on a single server.

Here we will simulate such a scenario, Contoso is a game company, intranet users need to access OA, million network users need to access the game official website, at the same time by the same DNS to undertake internal and external network requests, intranet users come in and out of the intranet interface, extranet users come in and out of the network interface other than the interface.

Introduction to the experimental environment

16DNS: Assume the DNS server, set up in the company headquarters, set up two network cards one to provide services internally, an external service

IP Address: 80.0.0.8 gw:80.0.0.1

IP Address: 90.0.0.9 gw:90.0.0.1

WEB01: Undertake intranet OA Office Server, also undertake the connection headquarters DNS, intranet, external network client routing

IP address 1:80.0.0.1

IP address 2:90.0.0.1

IP address 3:100.0.0.1 DNS 80.0.0.8

WEB02: Undertake external website Web server, IP address: 90.0.0.2 gw:90.0.0.1

internal : Emulate intranet employee IP address: 80.0.0.100  gw:80.0.0.1 DNS: 80.0.0.8

internet : Imitate the external network game User IP address: 90.0.0.100 gw:90.0.0.1 dns:90.0.0.9

Assuming that the 90 network is a public network, 16DNS is deploying DNS for splitting

The client subnet range is not created because we are using an interface for isolation

Create an "internal logical range" directly

Add-dnsserverzonescope-zonename "eip.com"-name "internal"

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M01/92/D2/wKioL1kDTCSwipfvAACshxtsbMg249.jpg "title=" 2017-04-28_220457.jpg "alt=" Wkiol1kdtcswipfvaacshxtsbmg249.jpg "/>

Add a host record that provides services to the public network

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M01/92/D2/wKioL1kDTQuAA9KfAACGQGmzoSM097.jpg "title=" 2017-04-28_220900.jpg "alt=" Wkiol1kdtquaa9kfaacgqgmzosm097.jpg "/>

Add host records for the server on the intranet and join the internal zonescope zone

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M02/92/D3/wKioL1kDUBDz3ECTAACm7O08InU471.jpg "title=" 2017-04-28_222130.jpg "alt=" Wkiol1kdubdz3ectaacm7o08inu471.jpg "/>

Create DNS policy, define all the DNS server 80.0.0.8 this interface to do the query, all dropped to the intranet OA server responsible for response

Add-dnsserverqueryresolutionpolicy-name "Splitbrainzonepolicy"-action allow-serverinterface "eq,80.0.0.8"- Zonescope "internal,1"-zonename "eip.com"

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/92/D4/wKiom1kDUUizKTFlAABcj3vghTU086.jpg "title=" 2017-04-28_222659.jpg "alt=" Wkiom1kduuizktflaabcj3vghtu086.jpg "/>

By default, if you create a DNS policy that is based on the interface judgment, other interfaces that are not matched by the protocol are automatically taken by the other available interface, except that the request that already matches the interface will go according to the protocol.

Log in to the internal internal machine and you can see that DNS is already set up as an internal interface 80.0.0.8

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M02/92/D3/wKioL1kDUwmCKjhRAAHcHn73gpw578.jpg "title=" 2017-04-28_223423.jpg "alt=" Wkiol1kduwmckjhraahchn73gpw578.jpg "/>

Access www.eip.com automatically jump to intranet OA server responsible for response

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M00/92/D3/wKioL1kDUy3jrAhLAADnxJxWx1M513.jpg "title=" 2017-04-28_223432.jpg "alt=" Wkiol1kduy3jrahlaadnxjxwx1m513.jpg "/>

Log on to the outside of the Internet machine, you can see that DNS has been set to the external interface 90.0.0.9

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/92/D5/wKiom1kDU2mwrlRGAAF_XXQwavg627.jpg "title=" 2017-04-28_223611.jpg "alt=" Wkiom1kdu2mwrlrgaaf_xxqwavg627.jpg "/>

Access www.eip.com Auto Jump to extranet Portal Server responsible for response

650) this.width=650; "src=" Https://s5.51cto.com/wyfs02/M00/92/D5/wKiom1kDU5CAfbicAAEqFG7TIsQ318.jpg "title=" 2017-04-28_223649.jpg "alt=" Wkiom1kdu5cafbicaaeqfg7tisq318.jpg "/>

Can see the DNS server is very smart, has been based on the client's request to allocate a different interface to respond to query requests, assuming the company wants to use the same domain name, internal and external network access response to different pages, through this function can be very good implementation.

This article from "a Stubborn island" blog, reproduced please contact the author!

Windows Server DNS Policy split-brain 3