[dns-operations] A Deep Dive on the Recent Widespread DNS Hijacking Attacks

Tony Finch dot at dotat.at
Tue Feb 26 15:29:06 UTC 2019

Bill Woodcock <woody at pch.net> wrote:
> I’ve always understood that to be the definition of split-horizon, but
> perhaps I’m mis-using the term?  What would you call it?

I make a distinction between private zones (which are either nonexistent
or invisible or empty on the outside) and split views where the public
view of a zone is non-trivially different from the private view. But is
is a somewhat blurry distinction.

Beware that with DNSSEC it's difficult to make a private zone nonexistent
outside; and if you just refuse queries you'll get a load of junk retries
for private names, depending on how much they leak out. (Ours leak a lot,
but we are using them more for RFC 1918 hygiene rather than security.) So
in my experience a private zone works best if there's an empty
place-holder public view.

Another more recent trap is TLS certificates: CAA checks require more
thorough DNS checks by CAs. This was the practical push for us to switch
from refusing external queries for private zones, to returning NXDOMAIN
instead. And if you want to use Let's Encrypt for internal-only services,
your only option is to use the dns-01 challenge type and "somehow" get the
response into your private zone's no-longer-empty public view.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Malin, Southeast Hebrides: Southerly or southeasterly, veering southwesterly
later, 4 or 5. Rough or very rough, becoming moderate or rough later. Mainly
fair. Good, occasionally poor.

More information about the dns-operations mailing list