Selective resolution in a corporate environment

Emil Natan shlyoko at gmail.com
Tue Feb 5 15:26:15 UTC 2013 

Look for my answer below.

On Tue, Feb 5, 2013 at 5:16 PM, funky monkey <wongsky.monkey at gmail.com>wrote:

> One of my responsibilities has been general DNS (across platform)
> expertise in the organisation I currently work for. Over a fair amount of
> time, one thing that's repeatedly cropped up, has been the (ideally
> selective) subversion of DNS resolution of certain internet DNS domains.
>
> Sometimes that has been for DNS namespaces used purely by the company (but
> say subverting the odd name on an internal network, but in general, using
> the remaining records in external DNS) other times it's been for internal,
> but managed, use of things like social media (eg facebook, twitter, and
> other things...)
>
> My understanding is that at least with current DNS capabilities, that's
> largely all, or nothing - you either do the split brain thing, and have
> internal authority for the domain (and as a consequence, have to provide
> all the DNS entries required - probably perfectly OK for your own DNS
> domains, but possibly problematic or time consuming for alien DNS domains).
>
> I suppose, if you're doing it already and have the infrastructure, you
> could host such owned DNS namespaces, by using bind views, and use network
> DACLs to respond to internet DNS names, and internal DNS names with a
> different set of zone files - but in the environment I look after, that's
> not currently tenable - the environment is something of a hybrid, with
> largely Windows / Active Directory integrated DNS, internally, plus some
> areas of BIND (old versions 8.x.x and some 9.x.x instances).
>
> I did hear talk about some device (whether it was part of Microsoft's ISA,
> or more recent offerings like TMG) that could sit in the middle, kind of
> subvert certificate usage (for secure website access) and redirect internal
> access to a public / internet website, tactically. All I read were comments
> by a colleague, who was more involved in IT security, so didn't really
> glean much in the way of true details about how that would work.
>
> But to get back to what I'm often asked for, more as a tactical solution,
> is there any way of being able to subvert specific DNS names with alternate
> responses, whilst leaving the rest of the resolution to be obtained in the
> normal way - I know that doesn't follow the normal looking for authority
> for a domain name, then asking the correct question there.
>
>
I did something similar using Unbound, check the local-zone: and
local-data: declarations.

Emil


> I'm just thinking that many corporate DNS environments are already caching
> most of what they're resolving from elsewhere, and whilst it may present
> issues if abused, for corporate scenarios where there's more likelihood of
> security and authority not being subverted, surely it would be something of
> a boon for DNS administrators and save a lot of tedium with split-brain DNS
> implementations.
>
> Am I just spouting crazy talk, or is there something that could more
> easily address this, that I'm currently unaware of?
>
> Any comments welcome...
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130205/843ef6a3/attachment.html>

More information about the bind-users mailing list