Thursday, September 13, 2007

Split-brain DNS

Many a times you might cross organizations that implement internal DNS for name resolution. This is especially true for those running Microsoft Active Directory, where DNS plays an integral part in it's directory services lookup. Problems can happen when especially the domain names for both internal and external happen to be the same or to achieve seamless name resolution, an internal DNS need to exist to match that of external names.

Lets take for instance an email client that connects to their email infrastructure using the name In this case, when a user goes out of the organization, he or she can receive emails since the name resolves to a valid external IP. Now, this user comes back into company and the company implements Active Directory but when resolving either;

a. Does not get resolved as you may have a similar zone setup
b. Resolves to an external IP (whereas the server is actually internal)

Both these problems mean, the user may not be able to receive emails no more.

This is where administrators can setup a split-brain DNS. A split-brain dns in simplest possible explanation is having similar DNS zones internally and externally. Records like A, CN, SVR can be different as long as it meets your requirement for security, performance and accessibilities.

For instance, taking the exact example above, say Ahmad receives emails externally by using the (which resolves to then he comes back to his office, the exact same name now resolves to which is their email server but accessed internally now. This is because his administrator has setup a split-brain dns to ensure internal users do not resolve internally servers as external IPs and work the gateway for no apparent benefit.

There's a little bit of administration involved to ensure records match that of the internet. You must create records that correspond to the split brain domain to match the resources or records that exist externally if this record or server does not exist internally. For instance, the company in our example, hosts their external DNS to an ISP. This ISP also hosts their website This record should also exist in your network, simply because you assume the ownership of the zone in your split-brain dns setup. Otherwise, users will not be able to access this internally if you do not have such record. This record however will contain a live IP address matching that of the ISP. Remember, if the record does not exist, it will fail and will not forward to a root or top level DNS since you assume the role of the authority of this domain

There's a downside to this amongst others, is that is it can be subject to abuse and thus lead to a phishing or pharming attack. Imagine, internally you could setup the zone and host your own to resolve to your own little fake maybank2u website ;) eh.
Post a Comment