How to Configure DNS Split-Brain (Split Horizon) on Windows Server 2012 R2

How to Configure DNS Split-Brain (Split Horizon) on Windows Server 2012 R2

DNS Split-Brain (also called Split Horizon DNS) is a configuration where the same DNS namespace resolves to different IP addresses depending on where the query originates. The most common use case is a corporate domain (contoso.com) that must resolve to internal IP addresses for internal clients and to external, publicly routable IP addresses for internet clients — all without exposing internal network addresses or services to the public internet. Windows Server 2012 R2 DNS Server supports split-brain DNS through the use of DNS policies and DNS views, introduced as a fully-supported feature in Windows Server 2016 via DNS policies, but achievable in Windows Server 2012 R2 through separate internal and external zones with scope-based management. This guide covers the complete split-brain DNS configuration approach for Windows Server 2012 R2.

Prerequisites

Split-brain DNS on Windows Server 2012 R2 is implemented using two separate authoritative zones for the same namespace: one for internal clients (hosted on internal DNS servers) and one for external clients (hosted on external-facing DNS servers or zones). Both sets of DNS servers must be authoritative for the same zone name but serve different records. Requirements include the DNS Server role on both internal and external DNS servers, separate network paths for internal and external DNS queries (typically achieved through firewall rules), and administrative rights on all DNS servers involved.

Import-Module DnsServer

Understanding the Split-Brain Architecture

In a typical split-brain DNS setup for contoso.com:

Internal DNS servers (on your corporate network) are authoritative for contoso.com and contain records pointing to private RFC 1918 IP addresses (e.g., 192.168.1.10 for FILESERVER01.contoso.com). External DNS servers (or a hosted DNS service, e.g., public DNS) are authoritative for contoso.com and contain only the records needed by internet users, pointing to public IP addresses (e.g., 203.0.113.10 for www.contoso.com). Internet clients query the external DNS, receive public IPs, and reach your perimeter services. Internal clients query internal DNS, receive private IPs, and reach internal services directly without traversing the perimeter. This prevents internal IP addresses from leaking to the internet and ensures efficient routing for internal access.

Step 1 — Design the Internal Zone

The internal DNS zone for contoso.com is typically an Active Directory-integrated primary zone hosted on domain controllers. It contains the full set of internal records including all SRV records for AD DS, internal server A records, and internal application records:

# View the existing internal zone
Get-DnsServerZone -Name "contoso.com"

# Add internal records (private IPs)
Add-DnsServerResourceRecordA `
    -ZoneName "contoso.com" `
    -Name "www" `
    -IPv4Address "192.168.1.100" `
    -TimeToLive 3600

Add-DnsServerResourceRecordA `
    -ZoneName "contoso.com" `
    -Name "mail" `
    -IPv4Address "192.168.1.50" `
    -TimeToLive 3600

Add-DnsServerResourceRecordA `
    -ZoneName "contoso.com" `
    -Name "vpn" `
    -IPv4Address "192.168.1.200" `
    -TimeToLive 3600

# Verify internal records
Get-DnsServerResourceRecord -ZoneName "contoso.com" -RRType A |
    Select-Object HostName, RecordData | Sort-Object HostName

Step 2 — Create the External Zone

The external zone can be hosted on a separate Windows Server 2012 R2 DNS server in the DMZ or perimeter network, on a dedicated public DNS server, or delegated to a public DNS hosting service. If hosting externally on a Windows DNS server, create a standard primary zone (not AD-integrated) containing only the records needed by internet users:

# On the external DNS server — create the external zone
Add-DnsServerPrimaryZone `
    -Name "contoso.com" `
    -ZoneFile "contoso.com.dns" `
    -DynamicUpdate None `
    -PassThru

# Add only the records that should be visible externally (public IPs only)
Add-DnsServerResourceRecordA `
    -ZoneName "contoso.com" `
    -Name "@" `
    -IPv4Address "203.0.113.10" `
    -TimeToLive 3600

Add-DnsServerResourceRecordA `
    -ZoneName "contoso.com" `
    -Name "www" `
    -IPv4Address "203.0.113.10" `
    -TimeToLive 3600

Add-DnsServerResourceRecordA `
    -ZoneName "contoso.com" `
    -Name "mail" `
    -IPv4Address "203.0.113.20" `
    -TimeToLive 3600

# Add MX record for external mail
Add-DnsServerResourceRecordMX `
    -ZoneName "contoso.com" `
    -Name "@" `
    -MailExchange "mail.contoso.com" `
    -Preference 10

# Do NOT add SRV records for AD DS, internal server records, or private IPs

Step 3 — Configure Firewall to Separate DNS Scopes

The split-brain architecture depends on network segmentation to ensure internal clients reach internal DNS and external clients reach external DNS. Configure your firewall and network routing:

# Internal clients should have DNS configured to point to internal DNS servers
# Verify via DHCP or Group Policy

# Check current DNS client settings on a machine
Get-DnsClientServerAddress -AddressFamily IPv4 |
    Select-Object InterfaceAlias, ServerAddresses

# Using Group Policy to enforce internal DNS server addresses
# Computer Configuration > Administrative Templates > Network > DNS Client
# DNS Servers = 192.168.1.10, 192.168.1.11

Step 4 — Configure Internal Clients to Use Internal DNS

Ensure all domain-joined machines use the internal DNS servers by configuring DHCP scopes and verifying Domain Controller DNS registration:

# Configure DHCP scope option 006 (DNS servers) on all DHCP scopes
Get-DhcpServerv4Scope | ForEach-Object {
    Set-DhcpServerv4OptionValue `
        -ScopeId $_.ScopeId `
        -OptionId 6 `
        -Value @("192.168.1.10","192.168.1.11")
    Write-Host "DNS options updated for scope: $($_.ScopeId)"
}

Step 5 — Verify Split-Brain Resolution

Test that internal and external queries return different results for the same hostname:

# Test internal DNS resolution (should return private IP)
Resolve-DnsName -Name "www.contoso.com" -Server "192.168.1.10" -Type A

# Test external DNS resolution (should return public IP)
Resolve-DnsName -Name "www.contoso.com" -Server "203.0.113.5" -Type A

# Test from internal client
nslookup www.contoso.com 192.168.1.10

# Test with Resolve-DnsName on internal machine
Resolve-DnsName -Name "www.contoso.com" -Type A

Managing Record Synchronisation

One challenge with split-brain DNS is keeping the external zone up to date when your public IP addresses or external services change. Automate external zone updates with a synchronisation script:

# Script to synchronise specific records to external DNS server
$externalDNS = "203.0.113.5"
$externalZone = "contoso.com"

# Records to maintain on external DNS server (map hostname to public IP)
$externalRecords = @{
    "www"  = "203.0.113.10"
    "mail" = "203.0.113.20"
    "vpn"  = "203.0.113.30"
}

foreach ($record in $externalRecords.GetEnumerator()) {
    # Update or create A record on external DNS server
    try {
        $existing = Get-DnsServerResourceRecord `
            -ComputerName $externalDNS `
            -ZoneName $externalZone `
            -Name $record.Key `
            -RRType A `
            -ErrorAction SilentlyContinue
        
        if ($existing) {
            Remove-DnsServerResourceRecord `
                -ComputerName $externalDNS `
                -ZoneName $externalZone `
                -Name $record.Key `
                -RRType A `
                -Force
        }
        
        Add-DnsServerResourceRecordA `
            -ComputerName $externalDNS `
            -ZoneName $externalZone `
            -Name $record.Key `
            -IPv4Address $record.Value
        
        Write-Host "Updated external record: $($record.Key) -> $($record.Value)"
    } catch {
        Write-Warning "Failed to update $($record.Key): $($_.Exception.Message)"
    }
}

Security Considerations for Split-Brain DNS

Split-brain DNS has important security implications. The internal DNS zone contains sensitive information (server names, IP addressing, SRV records for AD DS) that must not be accessible from the internet. Firewall rules must prevent external DNS queries from reaching internal DNS servers. The external DNS zone should expose the minimum required records. Zone transfers from internal to external DNS must be prevented:

# Restrict zone transfers on internal DNS zones
Set-DnsServerPrimaryZone -Name "contoso.com" `
    -SecureSecondaries TransferToSecureServers `
    -SecondaryServers @()  # No zone transfers allowed

# Verify zone transfer settings
Get-DnsServerZone -Name "contoso.com" |
    Select-Object ZoneName, SecureSecondaries, SecondaryServers

Summary

DNS Split-Brain configuration on Windows Server 2012 R2 uses separate authoritative zones for the same namespace — one serving internal clients with private IP addresses and one serving internet clients with public IP addresses. The architecture depends on proper network segmentation to ensure clients query the appropriate DNS server. Key practices include never adding internal server names or AD SRV records to the external zone, restricting zone transfers to prevent internal zone data from being exposed, and automating the synchronisation of externally-facing records to reduce administrative errors. Split-brain DNS is a standard enterprise DNS architecture that provides clean separation between internal and external name resolution while using a single, consistent domain namespace.