Look for my answer below. On Tue, Feb 5, 2013 at 5:16 PM, funky monkey <wongsky.mon...@gmail.com>wrote:
> One of my responsibilities has been general DNS (across platform) > expertise in the organisation I currently work for. Over a fair amount of > time, one thing that's repeatedly cropped up, has been the (ideally > selective) subversion of DNS resolution of certain internet DNS domains. > > Sometimes that has been for DNS namespaces used purely by the company (but > say subverting the odd name on an internal network, but in general, using > the remaining records in external DNS) other times it's been for internal, > but managed, use of things like social media (eg facebook, twitter, and > other things...) > > My understanding is that at least with current DNS capabilities, that's > largely all, or nothing - you either do the split brain thing, and have > internal authority for the domain (and as a consequence, have to provide > all the DNS entries required - probably perfectly OK for your own DNS > domains, but possibly problematic or time consuming for alien DNS domains). > > I suppose, if you're doing it already and have the infrastructure, you > could host such owned DNS namespaces, by using bind views, and use network > DACLs to respond to internet DNS names, and internal DNS names with a > different set of zone files - but in the environment I look after, that's > not currently tenable - the environment is something of a hybrid, with > largely Windows / Active Directory integrated DNS, internally, plus some > areas of BIND (old versions 8.x.x and some 9.x.x instances). > > I did hear talk about some device (whether it was part of Microsoft's ISA, > or more recent offerings like TMG) that could sit in the middle, kind of > subvert certificate usage (for secure website access) and redirect internal > access to a public / internet website, tactically. All I read were comments > by a colleague, who was more involved in IT security, so didn't really > glean much in the way of true details about how that would work. > > But to get back to what I'm often asked for, more as a tactical solution, > is there any way of being able to subvert specific DNS names with alternate > responses, whilst leaving the rest of the resolution to be obtained in the > normal way - I know that doesn't follow the normal looking for authority > for a domain name, then asking the correct question there. > > I did something similar using Unbound, check the local-zone: and local-data: declarations. Emil > I'm just thinking that many corporate DNS environments are already caching > most of what they're resolving from elsewhere, and whilst it may present > issues if abused, for corporate scenarios where there's more likelihood of > security and authority not being subverted, surely it would be something of > a boon for DNS administrators and save a lot of tedium with split-brain DNS > implementations. > > Am I just spouting crazy talk, or is there something that could more > easily address this, that I'm currently unaware of? > > Any comments welcome... > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
