Monday, October 7, 2013

Split-brain DNS is a configuration method that enables proper resolution of names (e.g., from both inside and outside of your local network. In this architecture we keep the external clients requests away from our secured internal DNS servers. For external clients (like company employee working from home or some different public location) we host a External DNS in the DMZ Network which will reply to all queries coming from public network. For Internal clients we have a DNS server in the Private network. This DNS server will be responsible for all the queries coming from internal clients.
II. So what we need to configure a Split-Brain DNS Infrastructure?
1) A Private Network: Keep all internal clients, A DNS Server with all Private IP host records for resources, Database Servers etc in this Private Network. DNS in this network is responsible for all internal clients query.
2) A DMZ Network: This is an internet facing network, which is between 2 firewalls, 1 facing internet other one facing internal secured network. In this DMZ we usually keep all our Web servers. Here you have to implement a DMZ DNS Server which will contain all Public IP host records for resources. This DNS is responsible to handle all external clients query.
III. Let's take a secnario!
When I come to office I am connected to my companies private network. Whenever I query for, the Internal DNS server will respond back with the web servers private IP address and later I reach web server with the information and get my desired web page.
When I logout and login from home (a public network) and query, the query is responded back by the External DNS Server with web server Public IP information and then I get the desired web page.
IV. What did we achieve?
~In the above scenario, we kept our Internal DNS server information hidden from external clients and responded back with Public IP information. We achieved Security goals.
~Also, we are dividing the name resolution load for external and internal users between external and Internal DNS servers. We achieved fast name resolution goals.

No comments:

Post a Comment