Exchange - Net Admin - Outlook
Windows Mobile - Windows

Contact - Director's Blog

Network Admin Home

Split DNS Configuration

If you are using a different domain name internally than on the Internet, or have resources internally that are available to the Internet, you may find that you have difficultly connecting to them as the name resolution doesn't return the correct answer.

Examples could be:

• Your web mail service which you want to work on a single address of webmail.example.com instead of http://servername
• Your external web site which everyone should be entering in the form www.example.com
• You are using Exchange RPC over HTTPS / Outlook Anywhere or another service using SSL and need the name to be the same both internally and externally.

What you need to do is setup a "split DNS" environment.
This is where different results are returned to the client depending on their location - on local network or the Internet.

There are two different ways to operate a split DNS system, one that simply replaces a single host name in your public DNS, and one that replaces the entire subnet. If you want to replace the resolution of one or two hosts, then the single host name is best for you, and works well with .local or other non-resolvable domain and with dynamic DNS services.
If you have lots of hosts or have all of the resources in-house, then the zone replacement method is the best choice, and may already be in use and just needs some additional hosts.
You will need to use the zone replacement method if

• If your WINDOWS domain is the same name as the INTERNET domain.
• If your WINDOWS domain is the same name as someone else on the internet.
• You want to use the SRV record method for autodiscover on Exchange 2007 or higher
• You want to replace the MX records with a host using a different name.

To setup a split DNS system requires the following:

• Private DNS server - your AD DNS server is perfect.
  If you are using your DNS server to answer queries from the Internet then you will need to change this. If it is the same DNS server that hosts your Active Directory domain information then that is a big security risk. Your best option is to put it back with the domain name registrar. They will have servers that conform to the RFC standards for DNS servers. If your domain name registrar doesn't offer DNS services move to one that does. The market is awash with domain name companies that it shouldn't be too difficult to find one that provides the services you need.
• A domain name that is used on the internet.
• For the zone replacement method you will also need your Internet side information.
  For example if you have a web site hosted outside of your network then you will need its PUBLIC IP address.
  Similarly if you have an ftp site, you will need that as well.
  The quickest way is to ping the addresses - preferably from a machine outside of your network and then record the IP addresses returned.
  You do NOT need the external IP addresses of anything that is hosted inside and has an internal IP address.

Configuration Instructions - Single Host Replacement

Setting up a New Zone

1. On your primary DNS server, start the DNS administration tool.
2. Right click on the server and choose New Zone.
3. Step through the wizard. You need a FORWARD primary zone that is NOT AD integrated (you may have to deselect an option).
4. When asked for the domain name, enter the host that you want to replace.
   For example if you want to replace owa.example.com then you would enter owa.example.com.
5. Accept the option about creating a file.
6. As this is not an AD integrated zone, disable dynamic updates.

Adding a Host

Creating the zone is not enough, you need to have a single blank A record in the zone so that something resolves.

1. Right click on the new zone that you have just created
2. Choose "New Host (A)". If it is greyed out, double click on the zone and try again.
3. Leave the host name entry blank.
4. Enter the internal IP address for the web site.
5. Press OK.

If you are using the same host name for your MX records, then note that internally they will resolve to the IP address that you have just entered. For Exchange 2003, that will not be a problem unless you have disabled SMTP on a frontend server. On Exchange 2007 if you have a separate Hub Transport Servers and Client Access Servers it could be an issue. You may want to consider using a different host name for your MX records, so that internally they can point at different servers.

Configuration Instructions - Zone Replacement Method

• If you already have a WINDOWS domain that matches the name used on the Internet and you just wish to allow access to Internet based resources you can skip down to "Adding Internet Based Resources."
• If you already have a Windows domain that matches the name used on the Internet and you just wish to allow access to local resources that are also available over the Internet you can skip down to "Adding Local Resources Also Available on the Internet".

In these examples we are using example.com as the external domain

Setting up a New Zone

1. On your primary DNS server, start the DNS administration tool.
2. Right click on the server and choose New Zone.
3. Step through the wizard. You need a FORWARD primary zone that is NOT AD integrated (you may have to deselect an option).
4. Enter the domain name when prompted.
   For example if your web site is www.example.com then you would enter example.com.
5. Accept the option about creating a file.
6. As this is not an AD integrated zone, disable dynamic updates.

Adding Internet Based Resources

1. Right click on the new zone that you have just created, or is pre-existing.
2. Choose "New Host (A)". If it is greyed out, double click on the zone and try again.
3. Enter the name that you need to add, minus the domain name.
   For example if you want to add your web site which is on www.example.com then you would just enter "www".
4. Enter the external IP address for the web site.
5. Press OK.
6. Repeat for any other services that you might have on the Internet.
   You do NOT have to add entries for MX records for your domain as your email system will not be looking for these as it will know that it is responsible for that domain.

REMEMBER: After you have made this addition to your DNS the server will no longer lookup DNS information for this domain from the Internet. If there are any changes to the Internet IP addresses then you will need to update your internal DNS server as well.

Adding Local Resources Also Available on the Internet

1. Right click on the new zone that you have just created, or is pre-existing.
2. Choose "New Host (A)". If it is greyed out, double click on the zone and try again.
3. Enter the name that you need to add, minus the domain name.
   For example if you want to add your web site which is on www.example.com then you would just enter "www".
4. Enter the internal IP address for the web site.
5. Press OK.
6. Repeat for any other resources that you have locally that are also available on the Internet.

Common Problems with this Setup

There are a few common issues with this setup which can stop it from working.

• Host files
  If the "hosts" file has been setup with entries which are different then that can cause odd results as the hosts file overrides what is found by DNS.
• External DNS servers in the network configuration
  For this setup to work, all clients inside the network need to be using ONLY the internal DNS servers for DNS. No external DNS servers should be listed anywhere. If you need to use external DNS for successful name resolution configure forwarders in the DNS server setup.
• Proxy Server in the Browser
  If you are using a proxy server then that can also cause unexpected results. The internal hosts should be on the exclusion list.

Questions

Q: I am using a Dynamic IP address. How can I have the same name both internally and externally if my external IP address is changing.
A: You will need to use a Dynamic DNS service. The same process will apply as we have written here for managing MX records on a dynamic IP address.

Q: What hosts do I need to enter for Exchange 2007 support?
A: You need to have autodiscover.example.com (pointing at your internal IP address), as well as whatever name you are using for OWA - such as owa.example.com or mail.example.com.

Q: Should I select the option to "Create an associated pointer (PTR) record" ?
A: No, you shouldn't set that option as the hosts will most likely already have a record that is AD integrated.