Thursday, September 13, 2007

Split-brain DNS

Many a times you might cross organizations that implement internal DNS for name resolution. This is especially true for those running Microsoft Active Directory, where DNS plays an integral part in it's directory services lookup. Problems can happen when especially the domain names for both internal and external happen to be the same or to achieve seamless name resolution, an internal DNS need to exist to match that of external names.

Lets take for instance an email client that connects to their email infrastructure using the name email.company.com. In this case, when a user goes out of the organization, he or she can receive emails since the name email.company.com resolves to a valid external IP. Now, this user comes back into company and the company implements Active Directory but when resolving email.company.com either;

a. Does not get resolved as you may have a similar zone setup
b. Resolves to an external IP (whereas the server is actually internal)

Both these problems mean, the user may not be able to receive emails no more.

This is where administrators can setup a split-brain DNS. A split-brain dns in simplest possible explanation is having similar DNS zones internally and externally. Records like A, CN, SVR can be different as long as it meets your requirement for security, performance and accessibilities.

For instance, taking the exact example above, say Ahmad receives emails externally by using the email.company.com (which resolves to 202.188.0.133) then he comes back to his office, the exact same name email.company.com now resolves to 10.1.1.1 which is their email server but accessed internally now. This is because his administrator has setup a split-brain dns to ensure internal users do not resolve internally servers as external IPs and work the gateway for no apparent benefit.

There's a little bit of administration involved to ensure records match that of the internet. You must create records that correspond to the split brain domain to match the resources or records that exist externally if this record or server does not exist internally. For instance, the company in our example, hosts their external DNS to an ISP. This ISP also hosts their website www.company.com. This record should also exist in your network, simply because you assume the ownership of the zone company.com in your split-brain dns setup. Otherwise, users will not be able to access this www.company.com internally if you do not have such record. This record however will contain a live IP address matching that of the ISP. Remember, if the record does not exist, it will fail and will not forward to a root or top level DNS since you assume the role of the authority of this domain company.com.

There's a downside to this amongst others, is that is it can be subject to abuse and thus lead to a phishing or pharming attack. Imagine, internally you could setup the zone maybank2u.com and host your own www.maybank2u.com to resolve to your own little fake maybank2u website ;)...fun eh.
Post a Comment