One of my responsibilities has been general DNS (across platform) expertise in the organisation I currently work for. Over a fair amount of time, one thing that's repeatedly cropped up, has been the (ideally selective) subversion of DNS resolution of certain internet DNS domains.
Sometimes that has been for DNS namespaces used purely by the company (but say subverting the odd name on an internal network, but in general, using the remaining records in external DNS) other times it's been for internal, but managed, use of things like social media (eg facebook, twitter, and other things...) My understanding is that at least with current DNS capabilities, that's largely all, or nothing - you either do the split brain thing, and have internal authority for the domain (and as a consequence, have to provide all the DNS entries required - probably perfectly OK for your own DNS domains, but possibly problematic or time consuming for alien DNS domains). I suppose, if you're doing it already and have the infrastructure, you could host such owned DNS namespaces, by using bind views, and use network DACLs to respond to internet DNS names, and internal DNS names with a different set of zone files - but in the environment I look after, that's not currently tenable - the environment is something of a hybrid, with largely Windows / Active Directory integrated DNS, internally, plus some areas of BIND (old versions 8.x.x and some 9.x.x instances). I did hear talk about some device (whether it was part of Microsoft's ISA, or more recent offerings like TMG) that could sit in the middle, kind of subvert certificate usage (for secure website access) and redirect internal access to a public / internet website, tactically. All I read were comments by a colleague, who was more involved in IT security, so didn't really glean much in the way of true details about how that would work. But to get back to what I'm often asked for, more as a tactical solution, is there any way of being able to subvert specific DNS names with alternate responses, whilst leaving the rest of the resolution to be obtained in the normal way - I know that doesn't follow the normal looking for authority for a domain name, then asking the correct question there. I'm just thinking that many corporate DNS environments are already caching most of what they're resolving from elsewhere, and whilst it may present issues if abused, for corporate scenarios where there's more likelihood of security and authority not being subverted, surely it would be something of a boon for DNS administrators and save a lot of tedium with split-brain DNS implementations. Am I just spouting crazy talk, or is there something that could more easily address this, that I'm currently unaware of? Any comments welcome...
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
