Contents

Domain Name System Designs

Where you deploy DNS service (SRV) records depends on the design of your DNS namespace. Typically there are two DNS designs:
  • Separate domain names outside and inside the corporate network.
  • Same domain name outside and inside the corporate network.

Separate Domain Design

The following figure illustrates a separate domain design:


An example of a separate domain design is one where your organization registers the following external domain with an Internet name authority: example.com.

Your company also uses an internal domain that is one of the following:
  • A subdomain of the external domain, for example, example.local.
  • A different domain to the external domain, for example, example.com.
With a separate domain design:
  • The internal name server has zones that contain resource records for internal domains. The internal name server is authoritative for the internal domains.
  • The internal name server forwards requests to the external name server when a DNS client queries for external domains.
  • The external name server has a zone that contains resource records for your organization’s external domain. The external name server is authoritative for that domain.
  • The external name server can forward requests to other external name servers. However, the external name server cannot forward requests to the internal name server.

Same Domain Design

An example of a same domain design is one where your organization registers example.com as an external domain with an Internet name authority. Your organization also uses example.com as the name of the internal domain.

Same Domain, Split-Brain

The following figure illustrates a same domain, split-brain domain design:


Two DNS zones represent the single domain; one DNS zone in the internal name server and one DNS zone in the external name server.

Both the internal name server and the external name server are authoritative for the single domain, but serve different communities of hosts.
  • Hosts inside the corporate network access only the internal name server.
  • Hosts on the public Internet access only the external name server.
  • Hosts that move between the corporate network and the public Internet access different name servers at different times.

Same Domain, Not Split-Brain

The following figure illustrates a same domain, not split-brain domain design:


In the same domain, not split-brain design, internal and external hosts are served by one set of name servers and can access the same DNS information.

Important:

This design is not common because it exposes more information about the internal network to potential attackers.

Domain Name System Designs

Domain Name System Designs

Where you deploy DNS service (SRV) records depends on the design of your DNS namespace. Typically there are two DNS designs:
  • Separate domain names outside and inside the corporate network.
  • Same domain name outside and inside the corporate network.

Separate Domain Design

The following figure illustrates a separate domain design:


An example of a separate domain design is one where your organization registers the following external domain with an Internet name authority: example.com.

Your company also uses an internal domain that is one of the following:
  • A subdomain of the external domain, for example, example.local.
  • A different domain to the external domain, for example, example.com.
With a separate domain design:
  • The internal name server has zones that contain resource records for internal domains. The internal name server is authoritative for the internal domains.
  • The internal name server forwards requests to the external name server when a DNS client queries for external domains.
  • The external name server has a zone that contains resource records for your organization’s external domain. The external name server is authoritative for that domain.
  • The external name server can forward requests to other external name servers. However, the external name server cannot forward requests to the internal name server.

Same Domain Design

An example of a same domain design is one where your organization registers example.com as an external domain with an Internet name authority. Your organization also uses example.com as the name of the internal domain.

Same Domain, Split-Brain

The following figure illustrates a same domain, split-brain domain design:


Two DNS zones represent the single domain; one DNS zone in the internal name server and one DNS zone in the external name server.

Both the internal name server and the external name server are authoritative for the single domain, but serve different communities of hosts.
  • Hosts inside the corporate network access only the internal name server.
  • Hosts on the public Internet access only the external name server.
  • Hosts that move between the corporate network and the public Internet access different name servers at different times.

Same Domain, Not Split-Brain

The following figure illustrates a same domain, not split-brain domain design:


In the same domain, not split-brain design, internal and external hosts are served by one set of name servers and can access the same DNS information.

Important:

This design is not common because it exposes more information about the internal network to potential attackers.