Reader Feedback on "Split-Brain DNS"

Michael Dragone and a reader chat about a DNS question

Any DNS experts out there? After reading Michael Dragone’s “Split-Brain DNS” (InstantDoc ID 99772), reader Jeff Krull shared a split-brain DNS configuration problem with us. We've printed the problem here, as well as Michael's initial response. If you think you can further help Jeff, feel free to add your solution here! The first reader to solve Jeff’s problem will receive a Windows IT Pro baseball cap.

From: Jeff Krull
Subject: split brain dns article

Mike, we have a split-brain DNS zone, which is the root of our AD forest. Since it's an AD-integrated zone, when performing an Nslookup on the zone for, DNS returns a list of DNS servers (which are the DCs). That's just great for AD and associated GPO processing, etc. When a user browses the domain internally using a browser, we can't resolve the company's web site (i.e., times out) because the DCs don't run IIS to redirect the query, nor do we want our DCs running IIS. Externally, this is not a problem because the DCs aren't listed in the external zone. Any ideas on how to resolve this issue whereby internal users don't have to use internally to reach our web site?

From: Michael Dragone

Hi Jeff, thanks for reading my article and writing in. To help answer your question, can you tell me a little more about your AD environment? Do you have one or more AD domains? What's the format of the domain names? Are you using company.local,, or subdomains such as

From: Jeff Krull

We've got an empty root with three child domains: root, child, child, child. So, the web site in question would be, which we have to address as internally and can be accessed using externally. For other DNS domains (e.g.,, this isn't an issue because there aren't DCs for that domain...and we can access the web site internally using rather than

From: Michael Dragone

Okay, now I understand: works both internally and externally, but only works externally. Right? There's no elegant fix that I know of for this issue short of renaming your AD domains. Even if you add a host (A) record for to the zone, DNS will resolve requests for in round-robin fashion. Therefore, some clients will hit the domain controllers while others will make their way to your website. Likewise, you can't remove the existing A records for they're required for AD to function correctly, and the DCs would just add them again anyway. You could create an A record or an alias (CNAME) record for a keyword such as "internal," "mydomaincom" (without the period) or "web" in the appropriate zone that resolves to the IP address of the web server hosting (if you use an A record) or (if you use a CNAME record). Although that still won't let your users enter from a browser address bar, it would shorten what they have to enter. I would probably use "web" and add an A record in my external DNS for "web" so that internal users can simply type web in their address bar and external users can use either web or www. In any event, it's likely you've already thought of these alternatives. I'm sorry I couldn't be of much help!

So, who can help

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.