Split-DNS no longer a panacea

Split-DNS (or Split-horizon DNS) is a technique that has been around for nearly 20 years of firewalls. It used to be an absolutely required mechanism of deployment. When I designed the Milkyway Networks Blackhole back in 1994, specific support was put into place to support and encourage easy configuration of split-DNS.

Here are some more links to what it is: http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html http://en.wikipedia.org/wiki/Split-horizon_DNS http://wiki.zimbra.com/index.php?title=Split_dns

And while split-DNS worked great in 1995, when all sites had a single upstream firewall, and there was no remote users, or mobile laptops that could move in out, it is no longer such a great thing.

As soon as you have multiple sites (with or without VPN), then you have to make sure that ALL the sites all use the same internal DNS.
That means that every site has a recursive internal name server. That’s not always easy when you have a lot of sites, or if some of them are small, or have not got much in the way of infrastructure.

Then you need to realize that everyone’s laptop may well be a site, if it can move around. And sometimes laptops move to another organizations’ Intranet, and then they need two (or more) internal views!!! Which one to pick?

Split-DNS can be made to work if you set up recursive DNS server on every laptop as a stealth secondary for the internal zone, and always use in “/etc/resolv.conf”. All of this is easy to do on a *NIX laptop, but how can you do it on a windows laptop? Yeah, you can install the NT version of bind9, and this isn’t a bad idea for a lot of other reasons.

What if you need have a VPN/RemoteAccess system on the laptop that won’t bring up the VPN until packets flow… so you can’t resolve a name until the VPN is up, but you won’t bring the DNS up until the name is resolved… Having the names locally also helps for that as well.

With the rise of virtual corporations, where in fact there is no office, just a lot of nomadic laptops with a few central servers, and maybe a cabinet (bay) of servers with VPNs to access things, it can become a major pain to mainitain.

But, it’s worth stepping and asking yourself: is it really worth it? What did split-DNS really buy you?

Split-DNS was a way to keep private IP addresses out of the public DNS. To have privacy, and to avoid confusion, because someone else has as their internal mail server too!!!

A subdomain (i.e. ‘intra.example.com’) mostly works just as well to avoid the confusion. Put “intra.example.com” into people’s domain search order, and most of the issues go away.

And the reason for the privacy was because it was belt-and-suspenders on the proper operation of the firewall. Today, firewalls are irrelevant — they mostly work, and the real concern is compromised Windows PCs… those PCs, if inside, already have access to the internal DNS…. so why make it harder to manage by having split-DNS (or no internal DNS), when that front has already been lost?

And then there is IPv6, coming VERY SOON. (Many of us already use it daily) IPv6 has no RFC1918, so you’ll never have confusion. But, where do you put the AAAA records? You have hosts which are “inside”, and you may have IPv6 firewalls that prevent most access to these hosts. Part of the whole point of IPv6 is that you can now directly address those hosts, and you can selectively permit access to them via firewall or access control lists. (Remember the client machines are now also directly addressable, and so ACLs work very well now).

Do you put these AAAA records in the internal DNS, or the external one?

Now, add DNSSEC to the equation — how will you trust the internal zone? It does not have any link to the outside world. Once your external zone is secured, your internal “trusted” zone will look insecure!!! That’s another reason to actually make your internal zone (even if you implement it with split-DNS), a sub-zone of your external zone.