Split brain DNS and Forwarder RRS feed

  • Question

  • Hi,

    We have a split brain setup for our domain. Our AD integrated DNS server is configured with a 'Forward Lookup Zone' and the same domainname has is registered in AWS route53 as a public domain.

    When we create (ex on AWS, our internal users can't resolve that DNS name until we  add (ex also on the internal DNS server.

    Is it possible if the internal DNS server can't find that it forward the query to a public DNS server?


    Thursday, September 22, 2016 9:09 AM


All replies

  • That is not possible.  Any DNS domain which is authoritative for a namespace will either immediately return the answer for the record or not, it will not forward that query onwards.  Its kind of like someone asking a quick question, "is John Wilkens here?" inside a crowded room, and assumes that the answer from within that room is authoritative - he/she knows from that room that the person will either be inside the room or not. So, if you are John Wilkens, you reply.  If no one named that is inside the room, no one should reply.  This is how DNS works for servers in charge of authoritative namespaces, they are in charge of a certain "room" (namespace) - which is what you are in charge of running - but it exists in two different places.  So you have to be mindful of what happens when the same question is asked in either place.  They won't forward to each other.  They would only forward if the namespaces were different, and there are several ways you could do that, although that's not your scenario.  I hope this makes sense to you.

    Best Regards, Todd Heron | Active Directory Consultant

    Thursday, September 22, 2016 12:00 PM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, don't hesitate to ask.

    Best Regards,
    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, September 28, 2016 9:09 AM
  • Hi

    Please look at this blog. This is possible using Policies in Windows Server 2016

    Saturday, October 1, 2016 4:19 AM
  • This scenario assumes the original poster's Active Directory-integrated DNS server has two network interfaces, one listening on a public IP and the other private (it is extremely rare that people expose their AD assets like this).  As well, the scenario requires Windows Server 2016.  So while possible (the OP did ask if it was "possible") such a split-DNS design for him is probably not "probable".   But thanks for posting that link, I was not aware of this information.

    Best Regards, Todd Heron | Active Directory Consultant

    Saturday, October 1, 2016 12:43 PM