Before understanding the Split Domain Name System, let’s discuss how normal DNS resolution works for Internet traffic. However, DNS works to resolve names to IPs. When an Internet client open a Web-browser and type www.networkinterview.com
- Internet Client will go through the DNS process and hits the External DNS server
- External DNS server has hosted the networkinterview.com zone
- DNS servers connect with internet client with the IP address of the web server which holds the website www.networkinterview.com and check the IP address assigned to the URL
- Internal client will then make a direct connection to that web server
- And web page served back to the Internet User
Normal DNS Working
In the above image Normal DNS performs following steps:
- Intranet user (Internal User) : Internal user initiates connection to website www.networkinterview.com which is hosted on the Internet. Query reaches to local DNS server
- Local DNS Server : initiates connection towards Internet Firewall
- Firewall to Internet Cloud: Firewall trying to reach Internet cloud and communicate with Global/ISP DNS to connect with Public hosted server.
- ISP DNS/Internet Cloud to Web Server: Query reaches to Public hosted server and reply to firewall. Now traffic returns to the DNS server from where local Intranet users can get the DNS resolution and are able to open the URL.
In more detail we can understand the process as follows:
On the INTRANET (not Internet) client when opens browser and type www.networkinterview.com then:
- Session communicates with the Company’s local DNS server
- Since the Local DNS server is not Authoritative for the networkinterview.com
- The Local server trying to locate the DNS server by its routes
- Forward the traffic to another DNS server, possibly DNS server which is used by ISP.
- Eventually the request will make its own way to the DNS server holding a www. networkinterview.com on the Internet that server respond back with the IP address of the web server back to the local DNS server inside the Internet Zone
- Local DNS server respond back to the Local Intranet Client
- From where local Client can connect with web server directly
So, this is how a normal DNS server works for Internal and external hosts.
Split DNS or Split Domain Name System Working
Further when Split Domain Name System is introduced in the Local DNS server the traffic will works as below:
- First action is to host www.networkinterview.com within the Local DNS server
- Widgest.com zone will be available in both internal and external DNS server
- So, in this scenario, for the internet clients nothing has been changed
- However, when it comes to the INTRANET client, if the client opens the browser to connect with www.networkinterview.com, request goes out to the local DNS server
- Now internal or Local DNS server is authoritative for networkinterview.com zone
- Therefore, it will respond back to the Intranet client without proceeding any other resolution
- If the record www. is not located within the networkinterview.com zone, DNS resolution will fail for the INTRANET client
- In split DNS design, records that are sorted on the external DNS zone must also be included in the Internal DNS
In this scenario for the INTRANET Client to be able to access the webserver networkinterview.com
Admin must have added a record called www.networkinterview.com and map that to the IP address of the server on the internet. Next time the INTRANET client opens the URL in the browser and contacts the local DNS server. Now local DNS will have the necessary information to refer the client directly to the web server.
DNS admin must include all records that are found on the external DNS zone in internal/Local DNS server.
Split DNS: Implementation Plan
To implement Split-DNS in any network we would require two different zones for the same Domain. As discussed before, one zone handles internal domain requests and the other zone can answer external domain queries from the outside world.
We can configure External Zone database like this:
www A 444.444.444.1
ftp A 444.444.444.1
mail A 444.444.444.3
Whenever external users access www.networkinterview.com from outside, traffic gets NAT IP address (external zone IP address) from firewall. If traffic on port FTP, SMTP (email) are used by external users then traffic redirects to the same internal server however redirection ports are changed.
However, when we configure Internal zone database to answer internal queries
www CNAME webserver.networkinterview.com
ftp CNAME ftpserver.networkinterview.com
mail CNAME exchange.networkinterview.com
exchange A 10.10.10.12
webserver A 10.10.10.33
ftp-server A 10.10.10.22
When internal users try to access the website www.networkinterview.com on port 80, they will connect to the Internal Zone server. Here, CNAME of www. resolves to the A record of webserver.networkinterview.com and request forwards to 10.10.10.33
Similarly, if internal users connect to ftp-server on port 21, CNAME of ftp. Resolves to A record of ftpserver.networkinterview.com to internal Server IP address 10.10.10.22.
Split DNS: Benefits
- Attackers from public network or outside world cannot be able to get the details of internal services as to attack the servers from Untrust Zone
- Local DNS server have a set of separate DNS records to keep the track
- Local DNS records provides all the relevant information to the client from the track and avoid security risk for internal services
- Admin can host internal services only for internal users and external services for external users which let admin to control the services/application access
Speed-up Network Performance
- Split-DNS redirect traffic to the current DNS server which improves response time.
- Generally, external traffic goes to the External DNS server and Internal DNS handles Intranet user requests.
Solution of using same domain name for External & Internal Applications
- We can use different domain name for internal and external resources
Split DNS ensures that applications and resources are secure from the outside world or Untrust Zone. We can split or divide DNS traffic between two different DNS servers by using any secure tunnel. DNS tunnel is used to allow communication between users and DNS servers in encrypted format which provides another layer of security in the network. Split-DNS improves performance and security in the network too.