Jude's Blog

Split DNS! Something to consider when designing your Domain Environment

leave a comment »

Hello everyone, so today there was a situation where i had some issues with my newly deployed test environment where some users are having troubles when connecting to their email. My Lab scenario here is the organization, lets call it Contoso went through a new infra deployment where a new domain (contoso.com) was configured. The deployment of the DC’s were done just a day before and was in the fine-tuning stage.

Here’s the scenario:

  • Internal domain – contoso.com
  • External domain – contoso.com
  • E-mail domain – contoso.com
  • E-mail Provider – 3rd Party Hosted with POP
  • E-mail Client – Microsoft Outlook

The symptoms here were,  client mail connection is lost. However, some clients were able to communicate. Some experienced send receive issues most according to the clients.

So, let’s go through what has happened here by checking the two scenarios;

Users Who Cannot Connect

On the users who cannot connect, Outlook client reported that it cant find the server to connect. Send Receive status showed the Inbound/Outbound Servers were unable to connect to. However, when trying to resolve the MX record using NSLOOKUP, it was noted that no entry is returned except the SOA.

So I looked on their Network settings and noticed that their Primary DNS is set for the internal DNS server and the Secondary to an External.

Users Who Could Connect

Noticing the above, did the same thing and the nslookup was able to resolve the MX record lookup and returned the correct values. Upon checking the Network IP settings, it was identified that the Primary DNS IP was given an External.

 

So the conclusion was, the Internal DNS was unable to resolve the MX record as well as any mail related DNS records even though they were properly set up in the Public DNS Registrar.

Now let’s look at what has happened

For users who can connect, things happened like this. When the connection initiates from the outlook, it will try to resolve the records(fqdns) to connect. For that,

  1. It will look for the DNS cache first inside the client computer.
  2. It will look for the Primary DNS server assigned to get an authoritative reply.
  3. Look for the Secondary DNS server assigned for an authoratative reply.

Now since the client has given 8.8.8.8 (Google DNS) as primary, all queries were sent to that address and resolved successfully with a happy Client.

Now for the users who had the internal DNS server for Primary, the request was sent to the local DNS Server and the DNS server didn’t respond with a proper response that would connect outlook.

The reason had to do with the scenario with both the Internal and External Domain Names’ being the SAME!

Now if someone asks why, when the client looks for a query for mail.contoso.com it looks for the matching name in the local DNS server. The local DNS server receives the query and sees that the server itself is authoritative for the contoso.com Zone. However, in this new environment, NO mail.contoso.com Nor any mail based records were present. Due to this fact, the DNS server replies with nothing. Making the client not to connect.

So we call our situation is in a SPLIT DNS scenario. Now how to make things work?

The only thing you need to do is to create the pointers which are sitting on the Internet World on your local DNS Server. In my case, I created an records with the hostnames/IPs pointing to the internet. So now when a request comes for mail.contoso.com, the local DNS server see’s that there is an entry present pointing to an internet IP address and the client will use this to connect to the relevant service accordingly.

So what’s the catch here?

If your Internal Domain Name = External Domain Name in your environment, You are in a Split DNS environment. And you need to provide pointers for all your external domain based services on your local server.

dns query - split dns

If you have any such scenarios or suggestions to improve this article, please let us know 🙂

 

Advertisements

Written by judeperera

February 21, 2014 at 9:48 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: