Selective resolution in a corporate environment
funky monkey
wongsky.monkey at gmail.com
Tue Feb 5 15:16:30 UTC 2013
One of my responsibilities has been general DNS (across platform) expertise
in the organisation I currently work for. Over a fair amount of time, one
thing that's repeatedly cropped up, has been the (ideally selective)
subversion of DNS resolution of certain internet DNS domains.
Sometimes that has been for DNS namespaces used purely by the company (but
say subverting the odd name on an internal network, but in general, using
the remaining records in external DNS) other times it's been for internal,
but managed, use of things like social media (eg facebook, twitter, and
other things...)
My understanding is that at least with current DNS capabilities, that's
largely all, or nothing - you either do the split brain thing, and have
internal authority for the domain (and as a consequence, have to provide
all the DNS entries required - probably perfectly OK for your own DNS
domains, but possibly problematic or time consuming for alien DNS domains).
I suppose, if you're doing it already and have the infrastructure, you
could host such owned DNS namespaces, by using bind views, and use network
DACLs to respond to internet DNS names, and internal DNS names with a
different set of zone files - but in the environment I look after, that's
not currently tenable - the environment is something of a hybrid, with
largely Windows / Active Directory integrated DNS, internally, plus some
areas of BIND (old versions 8.x.x and some 9.x.x instances).
I did hear talk about some device (whether it was part of Microsoft's ISA,
or more recent offerings like TMG) that could sit in the middle, kind of
subvert certificate usage (for secure website access) and redirect internal
access to a public / internet website, tactically. All I read were comments
by a colleague, who was more involved in IT security, so didn't really
glean much in the way of true details about how that would work.
But to get back to what I'm often asked for, more as a tactical solution,
is there any way of being able to subvert specific DNS names with alternate
responses, whilst leaving the rest of the resolution to be obtained in the
normal way - I know that doesn't follow the normal looking for authority
for a domain name, then asking the correct question there.
I'm just thinking that many corporate DNS environments are already caching
most of what they're resolving from elsewhere, and whilst it may present
issues if abused, for corporate scenarios where there's more likelihood of
security and authority not being subverted, surely it would be something of
a boon for DNS administrators and save a lot of tedium with split-brain DNS
implementations.
Am I just spouting crazy talk, or is there something that could more easily
address this, that I'm currently unaware of?
Any comments welcome...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130205/df458034/attachment.html>
More information about the bind-users
mailing list