From owner-freebsd-security Fri Jun 21 00:34:47 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA29289 for security-outgoing; Fri, 21 Jun 1996 00:34:47 -0700 (PDT) Received: from uu.elvisti.kiev.ua (acc0.elvisti.kiev.ua [193.125.28.132]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id AAA29190 for ; Fri, 21 Jun 1996 00:34:01 -0700 (PDT) Received: from office.elvisti.kiev.ua (office.elvisti.kiev.ua [193.125.28.129]) by uu.elvisti.kiev.ua (8.7.5/8.7.3) with ESMTP id KAA09969 for ; Fri, 21 Jun 1996 10:44:32 +0300 (EET DST) Received: (from stesin@localhost) by office.elvisti.kiev.ua (8.6.12/8.ElVisti) id KAA26711 for security@freebsd.org; Fri, 21 Jun 1996 10:44:32 +0300 From: "Andrew V. Stesin" Message-Id: <199606210744.KAA26711@office.elvisti.kiev.ua> Subject: split-brain DNS (fwd) -- anyone cares to look and comment? To: security@freebsd.org Date: Fri, 21 Jun 1996 10:44:32 +0300 (EET DST) X-Mailer: ELM [version 2.4 PL24alpha5] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Forwarded message: From: "Marcus J. Ranum" Message-Id: <199606202017.QAA23317@clark.net> Subject: split-brain DNS To: Firewalls@GreatCircle.COM Date: Thu, 20 Jun 1996 16:17:21 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Bellovin writes: > The split-brain DNS is a problem when you have a domain and > subdomains behind the firewall. The solution we know is to declare > the DNS server of the parent domain as a secondary server for every > existing subdomain. This solution is not really great since we can't > resolve Internet names from a subdomain. > We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND > but no improvement seems to be done... > >There will be a paper by Bill Cheswick and myself addressing some of >these issues, to be presented at the Usenix UNIX Security Conference 7/22-25. I just recently got sick of the problem, and did a short term hack that works pretty nicely. Basically, you extend the syntax of resolv.conf to include specifiers saying "this domain resolves against this server" and run all the applications on the firewall linked against the modified resolver library. The firewall runs a nameserver with a partial database that is public and you insert patterns telling the firewall's applications to resolve yourdomain.domain against your internal nameserver. It just works. I've put a brief write-up how it works, and a patch file (against some version or other of bind) on http://www.clark.net/pub/mjr under the section entitled "stuff." It's completely unsupported, etc, etc. Do not take internally, consult a doctor if accidentally ingested, etc, etc. mjr. -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 "You may delegate authority, but not responsibility." Frank's Management Rule #1.