Split-Brain DNS Documentation

Introduction #

Split-Brain DNS, also known as Split-Horizon DNS or Split-View DNS, is a method of DNS configuration that allows the delivery of different DNS responses depending on whether the request comes from an internal network or an external/public network. This technique is especially useful in scenarios where the information provided to internal users differs from that given to external users. This guide aims to explain the concept, purpose, and implementation of Split-Brain DNS in a straightforward manner, along with best practices for its deployment.

Purpose of Split-Brain DNS #

Split-Brain DNS serves several important purposes:

1. Isolation of Internal and External Resources: It helps keep internal network resources (like servers or private IP addresses) concealed from external clients, enhancing security by preventing unauthorized access.
2. Internal Network Optimization: It enables the efficient routing of internal network traffic by providing specific DNS responses to internal clients.
3. Customized DNS Configuration: This technique allows for customized DNS responses based on client location, offering greater flexibility in managing both internal and external DNS queries.

Understanding #

Step 1: Understand Your Network Layout #

• Identify Internal vs. External Resources: Begin by understanding the difference between your internal (private) and external (public) network resources. Internal resources might include private servers, while external resources could be your company’s main website.
• Map Network Infrastructure: Sketch a basic map of your network to visualize where these resources are and how they are connected.

Step 2: Set Up DNS Zones #

• Create Internal Zone: Set up a DNS zone that will serve internal clients. This zone will include records only accessible to users within your organization.
• Create External Zone: Similarly, establish an external DNS zone for public-facing services. This zone will be accessible from the internet.
• Assign Zone Names: Choose clear and descriptive names for each zone to avoid confusion.

Step 3: Configure DNS Server Software #

• Install DNS Server: Choose and install DNS server software that supports split-brain configuration, such as BIND or Microsoft DNS.
• Zone Configuration: Configure your DNS server software to recognize the two separate zones you’ve created. This typically involves editing configuration files or using a management interface.
• Access Permissions: Set permissions in the DNS software to ensure internal users can only access the internal zone and vice versa.

Step 4: Define Views or Policies #

• What Are Views/Policies: These are rules in your DNS server that control which DNS zone is visible to which user based on their network location.
• Create Views: Configure views in your DNS server. For example, create an “internal view” that includes records from your internal zone and an “external view” for the external zone.
• Set Criteria: Define criteria in your DNS server settings that determine whether a client should be given the internal or external view. This is usually based on the client’s IP address.

Step 5: Input DNS Records #

• Gather Records: Collect all necessary DNS records for both internal and external zones. This includes A records, MX records, CNAME records, etc.
• Input Records: Carefully input these records into the respective zones in your DNS server. Double-check for accuracy.

Step 6: Test Your Setup #

• Internal Testing: From a device on your internal network, try accessing both internal and external resources to ensure they resolve correctly.
• External Testing: Perform similar tests from an external network, like a home network, to verify that only the external resources are accessible.
• Troubleshooting: If something isn’t working as expected, review your configurations for any errors or omissions.

Step 7: Monitoring and Maintenance #

• Regular Checks: Periodically check the functionality of your DNS setup to ensure it’s working as intended.
• Update Records: Keep your DNS records up to date with any changes in your network infrastructure.
• Security Monitoring: Keep an eye on security logs for any unusual activity.

Refined Implementation Guide for Split-Brain DNS #

Step 1: Creating Client Subnets #

Client subnets help differentiate between internal and external DNS queries.

Commands:

# Define subnets for internal clients (replace with your internal IP ranges) Add-DnsServerClientSubnet -Name "Internal-Subnet-01" -IPv4Subnet "10.10.0.0/24" Add-DnsServerClientSubnet -Name "Internal-Subnet-02" -IPv4Subnet "10.10.1.0/24" # Define a subnet for external clients Add-DnsServerClientSubnet -Name "External-Subnet" -IPv4Subnet "0.0.0.0/0"

Step 2: Configuring Recursion Scopes #

Recursion scopes control whether the DNS server can query other servers to resolve a DNS query.

Commands:

# Default recursion scope set to false to prevent external DNS queries Set-DnsServerRecursionScope -Name "Default" -EnableRecursion $False # Create a new recursion scope for internal clients Add-DnsServerRecursionScope -Name "InternalScope" -EnableRecursion $True

Step 3: Establishing DNS Policies #

DNS policies direct how queries from different subnets are handled.

Commands:

# Allow internal DNS queries to be resolved normally Add-DnsServerQueryResolutionPolicy -Name "InternalPolicy" -Action ALLOW -ClientSubnet "EQ,Internal-Subnet-01;Internal-Subnet-02" -RecursionScope "InternalScope" -ServerInterfaceIP "EQ,[Your_Server_IP]" # Block or ignore external DNS queries to mitigate attacks Add-DnsServerQueryResolutionPolicy -Name "ExternalBlockPolicy" -Action IGNORE -ClientSubnet "EQ,External-Subnet"

Step 4: Verify and Adjust Policy Order #

The order in which policies are processed can be critical. Ensure external block policy has the highest priority.

Commands:

# View current policy order Get-DnsServerQueryResolutionPolicy # Adjust policy order if needed (not directly supported in PowerShell, but check for any updates or workarounds)

Step 5: Testing the Configuration #

Test your DNS settings from both internal and external networks to ensure they behave as expected.

Commands:

# From an internal client nslookup internal.example.com [DNS_Server_IP] # From an external source (e.g., a home network) nslookup external.example.com [DNS_Server_IP]

Step 6: Monitoring and Adjustments #

Regular monitoring helps identify and rectify any issues promptly.

Commands:

# Monitor DNS server logs Get-EventLog -LogName "DNS Server"

Additional Points for Beginners: #

• Understand the Concepts: Make sure you understand what DNS, subnets, and recursion are before proceeding.
• IP Ranges: Replace placeholders like [Your_Server_IP] with actual IP addresses specific to your network.
• Testing: Use tools like nslookup or dig to test DNS resolutions from different network locations.
• Documentation: Keep a detailed record of all configurations and changes for future reference.
• Firewall Settings: Ensure your firewall settings complement your DNS configurations for added security.

By carefully following these steps and using the provided CLI commands, you should be able to effectively set up Split-Brain DNS to manage internal and external DNS queries while mitigating the effects of DNS attacks. This setup is crucial in environments that require distinct internal and external DNS resolutions, especially under the threat of external attacks.

Best Practices for Split-Brain DNS #

• Network Segmentation: Clearly differentiate between internal and external networks, possibly using firewalls or routers.
• Update DNS Records Regularly: Ensure that both internal and external DNS zones are kept up-to-date with accurate DNS records.
• Secure Your DNS Infrastructure: Implement security measures like access controls, DNSSEC, and regular security audits.
• Conduct Thorough Testing: Test extensively to verify that the correct DNS responses are being served to the appropriate clients.
• Documentation and Change Management: Keep detailed records of your Split-Brain DNS setup and adhere to strict change management protocols for any modifications.

Conclusion #

Split-Brain DNS is a powerful technique for managing different DNS needs of internal and external network clients. By isolating internal resources, optimizing internal network traffic, and offering flexible DNS configurations, it supports a secure and efficient DNS infrastructure. Following the outlined best practices and implementation steps will help ensure a successful deployment of Split-Brain DNS in your organization.