Split DNS (Zimbra)

From vWiki
Jump to: navigation, search

Split DNS is required for Zimbra where your server is on an internal (private address range) network[1].

Zimbra needs to be able to resolve its own Mail Exchanger (MX) DNS record, otherwise its services will not start. Therefore if your server is known publicly by one IP address, but in fact has a different internal address (and the public IP is NAT'ed to the internal IP) you'll need to use split DNS. This allows your server to be known by one IP address on the internet, and a different address internally, but with the same hostname regardless of where you are. There are two methods described below that enable you to achieve this...

  1. Localhost DNS Server Setup - DNS server installed locally on the Zimbra server.
  2. Local Network DNS Server Setup - DNS server on your local network, if you have one available.

Note that Split DNS, Split-Horizon DNS, Split-Brain DNS all refer to the same technique, and the terminology can be used interchangeably.

DNS Records

Firstly, you need to own a public domain name, then get your ISP to create two DNS records...

  1. MX record - Mail Exchanger (MX) record
    • EG sandfordit.com [MX] -> mail.sandfordit.com
    • sandfordit.com is the domain you own, and mail.sandfordit.com is hostname of your email server (can be anything you like). Email addressed to <anything>@sandfordit.com will be directed to the server in this record.
    • You'll need to give the record a weighting (this allows you to have multiple email servers for the same domain). The lower the number the higher the server's priority, assuming you only have one email server, its common to use 10
  2. A record - Standard DNS record
    • EG mail.sandfordit.com [A] ->
    • is the static IP address assigned by your ISP. You'll need to set-up a NAT on your router (often oddly called a virtual server in domestic routers) to map incoming mail on TCP 25 to your email server's actual address (EG -> ).

Note, instead of an A record, some people will use a CNAME record instead (though obviously the CNAME record will still need to point to a valid A record.) Using a CNAME might be preferable, if for example you've multiple services running from a single public IP, that you might want to split out in the future to run on separate IP's, at which point you can replace the CNAME records with A records. However, I've seen a number of pages on the internet suggesting you shouldn't do this and it may not work, so if you're experiencing issues when using a CNAME consider changing to an A record.

Localhost DNS Server Setup

In order to get round the fact that your exchange server won't have the same IP (or name even) on the public internet as it will on your internal network, a DNS server is installed on the exchange server to provide MX record resolution. Procedure assumes DNS (Bind) is already installed (use apt-get install bind9.


  • Private = Home or internal network IP address and network name (eg and mail.home.int)
  • Public = Global internet, ISP assigned IP address and registered domain name (eg and mail.sandfordit.com)

Firstly, add the IP('s) of the DNS servers you use for resolution on your other machines to your local DNS server's list of forwarders (so that your exchange server forwards DNS resolution requests for unknown names to your normal DNS servers), edit /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";
        query-source address * port 53;

        forwarders {

        auth-nxdomain no;    # conform to RFC1035

Edit /etc/resolv.conf to force the server to use its local DNS server for resolution


Restart bind using /etc/init.d/bind9 restart and check you can resolve external addresses properly.

Now create the internal zone that will eventually contain the local MX record for your exchange server, append the following to /etc/bind/named.conf.local , using your publicly registered domain name

zone "sandfordit.com"  {
    type master;
    file "/etc/bind/db.sandfordit.com";

Lastly create the database file for you DNS domain /etc/bind/db.sandfordit.com, using your publicly registered domain name and private (internal) IP address for your exchange server...

; BIND data file for sandfordit.com
$TTL    604800
@       IN      SOA     mail.sandfordit.com. admin.sandfordit.com. (
                         070725         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      mail
        IN      MX      10 mail
        IN      A
mail    IN      A

Local Network DNS Server Setup

This is most appropriate to use if you have an existing internal DNS server, that internal clients are already using. Note that all clients of the DNS server will use it to resolve all addresses for the domain that your Zimbra server is on. So if your domain is sandfordit.com, all name resolution for that zone will be handled by it. So if you have a server on the internet (eg www.sandfordit.com , you will need to have a local record for it added to your DNS. Otherwise local clients will request a DNS resolution with your local DNS, which will simply respond that there is no such host, and the local client will be unable to connect.

So if you have to create a new zone in order to get Split DNS working, you may need to add additional records that replicate existing public DNS records. If you already have a zone in your DNS server (which should already be up to date), or have no other device address in that DNS domain, then this shouldn't be a problem.

If you are in any doubt, installing a local DNS server on your Zimbra server is the safest way to proceed. Any problems you cause should be restricted to that server, and won't impact any other working servers. One of the biggest risks when tinkering with DNS is that records get cached, everywhere, so once you've fixed whatever problem you've caused, you may have to wait days for the fix to have rippled around.

  1. If it doesn't already exist, create a new zone for your domain, eg sandfordit.com
  2. Within that zone, create an
    • A record for your server's hostname and internal IP address
    • MX record, pointing to the A record just created

Additional Notes

  1. For example, your Zimbra server may have an IP address of or, but from the outside world its accessible via a public address such as