Why we have a split-horizon DNS setup
When I wrote about how Chrome may start restricting requests to private networks, I said that we have a split-horizon DNS setup, where people inside our network perimeter see different DNS than people outside it. You might wonder why we go to the effort of having such a thing, especially when it can cause problems with things like DNS over HTTPS. One sufficient answer is that it's required because we have public websites that are actually on private internal IPs, which means that people inside (who must talk to the private IPs instead of the public ones) must get different DNS answers than outside people. But there's another reason that would probably drive us to split-horizon DNS even without the first issue.
In our network layout, we have a lot of internal machines that are on subnets with private IP addresses; in fact, most of the machines on our networks are in private IP address space. These machines need DNS names, both for us (to keep track of them) and sometimes for other people (to talk to them). Using split-horizon DNS means that we can avoid leaking private IP addresses into public DNS results (well, more or less) while still allowing people to have names under our public subdomain for internal machines.
(Leaking private IPs into public DNS results is socially discouraged and can cause other people to experience odd problems, such as when they look up one of your names and wind up connecting to one of their own internal machines by surprise. Under some circumstances this can look like an attack. In some places, leaking internal names to the outside would also be a security issue.)
Doing split-horizon DNS also makes it simpler to have a single stealth master DNS server that contains both purely internal DNS zones in a private TLD as well as our public DNS. Having a purely internal DNS TLD allows internal machines to have much shorter 'fully qualified' names than if they had to be in an internal subdomain of our university subdomain. The typical internal machine has a three component fully qualified name; if we had to embed them in an internal subdomain it would be six components (since our public subdomain is already three on its own).
(By the Wikipedia definition, running separate internal and external DNS servers is already 'split-horizon DNS', but I don't really think of it that way. These days, everyone separates internal resolving DNS servers from non-recursive public DNS servers, making it possible to do all sorts of odd things to the configuration of your internal resolving DNS servers to shim in zones and alter your zones. Our split-horizon DNS is the old sort, where our stealth master DNS server has two versions of reality and which one it tells you about depends on what your IP address is. Our internal resolvers get one version, while our external DNS servers get another.)
|
|