Steve Bellovin <smb @
> The split-brain DNS is a problem when you have a domain and
> subdomains behind the firewall. The solution we know is to declare
> the DNS server of the parent domain as a secondary server for every
> existing subdomain. This solution is not really great since we can't
> resolve Internet names from a subdomain.
> We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND
> but no improvement seems to be done...
>There will be a paper by Bill Cheswick and myself addressing some of
>these issues, to be presented at the Usenix UNIX Security Conference 7/22-25.
I just recently got sick of the problem, and did a short
term hack that works pretty nicely. Basically, you extend the
syntax of resolv.conf to include specifiers saying "this domain
resolves against this server" and run all the applications on
the firewall linked against the modified resolver library. The
firewall runs a nameserver with a partial database that is public
and you insert patterns telling the firewall's applications to
resolve yourdomain.domain against your internal nameserver. It
I've put a brief write-up how it works, and a patch
file (against some version or other of bind) on
http://www.clark.net/pub/mjr under the section entitled "stuff."
It's completely unsupported, etc, etc. Do not take internally,
consult a doctor if accidentally ingested, etc, etc.