Now that you have a good background on the special DNS techniques you can use, let’s discuss a very common and fairly secure way to deploy DNS within your organization: using the split DNS architecture.
As I’ve briefly mentioned previously in this chapter, the split DNS architecture scenario consists of a set of internal nameservers that are used within the corporate computing environment in daily operations. There are also one or more nameservers facing externally to the Internet, which outsiders use to connect to your corporation’s electronic services, but they are separated from the internal nameservers for security purposes. Outsiders who query for information from your external nameservers won’t be able to obtain information on your internal network structure and composition because the external nameserver is completely separate from the internal nameservers that hold this data. The external nameservers hold records only for externally facing servers and not for your entire internal domain. This technique is called the split DNS architecture because DNS information is split between the inside and the outside of an organization.
Split DNS is a great way to deploy Active Directory-compatible DNS services in your organization, but it isn’t the only way to deploy DNS.
Now is the time to introduce a new type of zone, introduced in Windows Server 2003, called the stub zone. Stub zones contain only a subset of the information contained in a regular forward or reverse lookup zone. Specifically, a stub zone contains the SOA record, any pertinent NS records, and the A records for the nameservers that are authoritative for that zone, and nothing more. Stub zones are useful for creating split DNS infrastructures, where internal DNS requests are serviced by internal machines and external DNS requests are serviced elsewhere, perhaps at a datacenter or Internet service provider.
Now, how do stub zones and conditional forwarding play into the split DNS architecture? In a couple of ways: for one, you might do business with an organization that occasionally needs to access systems that reside within your corporate firewall, not outside of it. Because the external nameservers have no information on your internal systems, there’s no default way using split DNS for outsiders to resolve canonical names within your firewall. To resolve this, you use stub zones, placed on the internal nameserver of the corporation with whom you’re doing business, which again contain only NS and SOA records. That way, when people query for resources that you host, they go to their local nameservers, and their local nameservers see the stub zones placed there about your organization with the proper name and IP address for your nameservers. In essence, any organization that hosts a stub zone for your domain always will know the names and addresses of your nameservers. Best of all, regular zone transfers will make sure the information inside these stub zones is kept up-to-date, but of course you must have permission to conduct these zone transfers.
Conditional forwarding operates very similarly to stub zones, except that where stub zones simply contain information about a foreign domain’s nameservers, conditional forwarding is used on the local nameserver to directly forward requests for information to the foreign nameserver. Unlike stub zones, conditional forwarders don’t automatically update when information changes, so manual intervention is required if you need to change the addresses or names of the foreign nameserver; however, you don’t need any special permissions on the foreign nameserver to use conditional forwarding because no zone transfers are involved. (I have not found that this process is scriptable, but this issue might be fixed in a future service pack or in Windows Server 2003 R2.) Some overhead is involved with conditional forwarding, however, if you have a large list of names to forward; the server has to check each and every request against this list, and if you have a large load on the server, this can slow down response time considerably for everyone hitting that particular server. For just a few zones, however, conditional forwarding can be the best solution, and it can be done without the foreign DNS hostmaster or administrator knowing or approving.
Both of these techniques are a major part of the split DNS architecture strategy. Let’s take an example corporation—one that is intending to use Active Directory and is deploying DNS with that in mind—with a primary and secondary nameserver for the external side of the infrastructure and a second set of primary and secondary nameservers for the internal side. A basic diagram of this infrastructure is shown in Figure 4-26.
Note that the first set of primary and secondary nameservers is outside the corporate firewall, and they take care of any external requests that come for the domain. In fact, the registrar that has the corporation’s domain registration lists these two nameservers as authoritative for that domain. However, the zone files on these servers are static—they list only a few, rarely changing items, which could be web, FTP, and mail servers. This is really all the public needs to know.
There are two points to note about this portion of the scenario:
If your ISP has been providing hosting for your nameservers, there’s no reason it can’t continue doing so. In fact, this is simpler to administer than hosting both sets of nameservers on your own premises.
Now let’s focus on the internal nameservers for this corporation. The primary nameserver on the internal side is configured as the primary nameserver for the internal zone and is instructed to accept dynamic DNS updates from internal workstations and servers. However, these internal servers are blind (at this point) to the fact that outside the firewall, another set of nameservers is holding the same zone name with different records. In addition, the workstations within the business are configured to think of the authoritative nameservers for the domain as the internal servers; this is where they will register themselves via dynamic DNS, and also where they will first look to resolve Internet names.
So, how do internal users resolve names on the Internet if they can’t see the external set of nameservers? It’s easy—the internal primary and secondary nameservers are configured to forward Internet requests to the external primary nameserver. So, if the address being requested by the client isn’t in the internal nameserver’s cache (meaning it hasn’t been requested recently by another client), it will ask the external nameserver for the answer. No zone transfers are involved—it’s just straight forwarding, as I covered earlier in this chapter. But how might external users resolve internal DNS names? The short answer is: they won’t. That’s a security feature. Because the external users know only about the external nameservers, and the external nameservers know only about themselves and not the internal nameservers, there’s no way for the external nameservers to report any information about internal DNS records inside the firewall.
The only problem you might run into is when internal users attempt to access the company’s own resources on the external side of the firewall; to allow this, simply add a static record to the internal nameservers that points to the correct external resource. You don’t introduce any security problems that way because there’s still no “window” for external users to see into your internal structure.
So, in essence, you have a DNS architecture “split” between internal and external nameservers. If you’re looking to reproduce this architecture, the following summarizes the correct procedure:
Create two sets of servers—one for in front of the firewall, and one for behind it. Install the DNS service on both.
Make every nameserver point to itself for its own DNS information; you do this within the network card properties where you indicate the IP address. There’s no need to configure a secondary nameserver for each of these.
Copy any external records your internal users might need to the internal zone. This includes web, mail, and FTP servers. Remember, if you don’t do this, your users won’t be able to resolve the names of anything outside the firewall.
Configure external forwarders—these are the machines to which your internal nameservers will forward requests so that your internal users can resolve Internet names.
Slave the internal set of nameservers to these external forwarders you created in the previous step. This shields them from the Internet’s blinding eye.
Configure all machines on the internal network to use only the internal nameservers. This allows them to register with Active Directory if appropriate and to find internal resources, which they couldn’t find if directed to the external nameservers outside the firewall.
Split DNS architecture is implemented with security in mind, but you always can take more steps to harden those DNS systems. You’ve already taken two steps in this process: for one, slaving the internal nameservers to the external forwarders eliminates the possibility that if the firewall of some other transmission problem prevents the external forwarder from responding, the internal nameserver will conduct its own search of the Internet. You obviously don’t want your internal nameservers touching anything on the outside of the firewall except those external forwarders.
The other step is the use of the
firewall to separate the two sets of nameservers from each other. You
need to ensure that the firewall that protects the perimeter of your
corporate network from the endless bounds of the Internet is
configured correctly and locked down as tightly as possible. I
recommend the book
Building Internet Firewalls, Second
Edition (O’Reilly) for very detailed and
thorough guidance on this topic. You’ll especially
want to ensure that only a few ports, such as the DNS port, 53, are
Other than that, this architecture is fairly secure right after implementation.