[dns-operations] A Deep Dive on the Recent Widespread DNS Hijacking Attacks

Bill Woodcock woody at pch.net
Tue Feb 26 09:48:16 UTC 2019



> On Feb 25, 2019, at 8:32 AM, Doug Barton <dougb at dougbarton.email> wrote:
> 
> On 2019-02-23 10:17 PM, Bill Woodcock wrote>
>> We’re switching to split-horizon DNS, such that nothing else which requires authentication will be resolvable without first being on the VPN.
> 
> If you're going to go through that level of trouble, why not instead do it right, and put the sensitive hosts in their own zone, which is only visible on the internal resolvers?

Yes, that’s exactly what we’re doing.  I’ve always understood that to be the definition of split-horizon, but perhaps I’m mis-using the term?  What would you call it?

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190226/e8876309/attachment.sig>


More information about the dns-operations mailing list