Use of private and public DNS with DNSSEC

dnssecdomain-name-systeminternal-dns

My company, 'example.com', has a public host www.example.com. The (legacy Windows managed) internal network has several internal hosts internalhost1.example.com, internalhost2.example.com and so on.

The internal network has an internal private authoritative DNS server for example.com. The public DNS server is hosted somewhere on the internet. External users on the internet cannot resolve the internal hosts, they are not available on the public DNS server. Internal users can resolve internal hosts because they are using the internal DNS server to resolve.

Now the public DNS is in the process of getting secured by DNSSEC. I have verified that currently the internal clients do not seem to care that the external DNS is secured by DNSSEC, they just continue trusting the internal DNS server, the clients are 'non-validating'.

Now my question is if there is any plan or roadmap to force all clients to validate DNSSEC? How long will the above setup work if we secure the public DNS with DNSSEC and keep the private DNS non-DNSSEC? A year? Ten years? Forever? Should we convert our internal domain to example.local or can we leave it example.com?

Best Answer

TLDR; if you manage your workstations then your workstations will always work as you expect.

Internal systems should've been a subdomain of the public domain and then you can delegate/sign the internal zone with your parent domain, and would also no longer need split DNS as your external records (www.example.com) would resolve externally, you CAN add A records that point internally, externally, but you cannot add glue records for internal IPs. Also I would recommend always using a domain name you control, and not a factitious example.local and absolutely not a domain.companytld

Windows (Named Resolution Policy Table (NRPT)) and linux (systemd-resolve) both support client-side settings for DNSSEC validation as well as the ability to specify what domains should always be signed.

Other things to consider, DoH (DNS over HTTPS) which could bypass all your existing security and dns manipulations.

Related Solutions

Overriding some DNS entries in BIND for internal networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

Windows 2003 DNS server and DNS SEC

From what you've said I'm presuming that this is a recursive server, and not an authoritative server.

From the details given, you should have no problems. Your network apparently supports responses > 512 bytes, and your server supports EDNS0.

In any event, you will only ever have problems if your server sends queries to external servers that have the DO bit (DNSSEC OK) set.

Without that flag all responses from the root servers (and any other authoritative servers for that matter) will look exactly the same come May 5th as they did before DNSSEC.

The only other thing you should check is that your network permits outbound DNS queries to work over TCP - so don't ever block outbound tcp/53 on your firewall.

If you need more help, please ask. I'm the author of various ICANN and IETF documents relating to this issue.

Best Answer

Related Solutions

Overriding some DNS entries in BIND for internal networks

Windows 2003 DNS server and DNS SEC

Related Topic