Date: Fri, 21 Jun 1996 10:44:32 +0300 (EET DST) From: "Andrew V. Stesin" <stesin@elvisti.kiev.ua> To: security@freebsd.org Subject: split-brain DNS (fwd) -- anyone cares to look and comment? Message-ID: <199606210744.KAA26711@office.elvisti.kiev.ua>
next in thread | raw e-mail | index | archive | help
Forwarded message: From: "Marcus J. Ranum" <mjr@clark.net> Message-Id: <199606202017.QAA23317@clark.net> Subject: split-brain DNS To: Firewalls@GreatCircle.COM Date: Thu, 20 Jun 1996 16:17:21 -0400 (EDT) Reply-To: mjr@v-one.com Organization: V-One Corporation, Baltimore, MD Office Phone: 410-889-8569 X-Mailer: ELM [version 2.4 PL24alpha3] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: firewalls-owner@GreatCircle.COM Precedence: bulk Steve Bellovin <smb@research.att.com> writes: > The split-brain DNS is a problem when you have a domain and > subdomains behind the firewall. The solution we know is to declare > the DNS server of the parent domain as a secondary server for every > existing subdomain. This solution is not really great since we can't > resolve Internet names from a subdomain. > We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND > but no improvement seems to be done... > >There will be a paper by Bill Cheswick and myself addressing some of >these issues, to be presented at the Usenix UNIX Security Conference 7/22-25. I just recently got sick of the problem, and did a short term hack that works pretty nicely. Basically, you extend the syntax of resolv.conf to include specifiers saying "this domain resolves against this server" and run all the applications on the firewall linked against the modified resolver library. The firewall runs a nameserver with a partial database that is public and you insert patterns telling the firewall's applications to resolve yourdomain.domain against your internal nameserver. It just works. I've put a brief write-up how it works, and a patch file (against some version or other of bind) on http://www.clark.net/pub/mjr under the section entitled "stuff." It's completely unsupported, etc, etc. Do not take internally, consult a doctor if accidentally ingested, etc, etc. mjr. -- With best regards -- Andrew Stesin. +380 (44) 2760188 +380 (44) 2713457 +380 (44) 2713560 "You may delegate authority, but not responsibility." Frank's Management Rule #1.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606210744.KAA26711>