Why do I need split DNS?
Split DNS frees users from having to use the same domain name to access internal and external network resources. In this guide, you will learn about the benefits of split DNS and ways of implementing it with Tailscale.
What is split DNS?
When you connect devices together in the same network, each device needs to be able to communicate with every other device. Each one also needs to be able to identify every other device on that network uniquely. In most cases, each device on a network will have its own IP address. IP addresses are either assigned to every network interface (such as the ethernet or Wi-Fi card used to connect to that network) by the router, or they are randomly assigned by convention, depending on which version of IP is being used. IP addresses also have a numeric representation such as 192.168.2.14
or fe80::8858:c070:1192:6168
. Some people are able to remember these easily, but most people find it easier to remember names like tailscale.com
instead of IP addresses like 37.16.9.210
; this is why we need DNS. But computers want to be able to connect to IP addresses, so there needs to be some kind of translation step.
In most networks, this translation is done with a protocol called Domain Name System (DNS). Herein lies the importance of DNS, DNS receives questions like “What is the IPv4 address of tailscale.com
?” and responds with answers like 37.16.9.210
. Over time, this has become one of the most important protocols of the internet and helps the internet to scale, but most people outside the networking world have little or no understanding of it. DNS was designed to have the same questions result in the same answers everywhere in the world, which allows users to never have to think about IP addresses. Without this critical invention, the modern internet would not be possible.
When you set up a split DNS (also known as “split horizon” or “split-brain”) configuration, you create a DNS server that answers with a set of records that aren’t used on the public internet. Then you need to configure your computer to “split up” its queries between different servers. This allows you to send queries for every domain ending in .internal.example.com
to an internal DNS server so that you can privately expose services without the DNS names being visible to the public internet.
This has been used to provide security through obscurity because it allows you to hide the names of internal network resources from external clients. This also helps prevent DNS cache poisoning attacks that could let an attacker access cookies or other secrets for internal services.
This is typically configured by using the native DNS configuration interface for every client operating system you use. This setup is fraught with opportunities for error and is typically very easy to mess up, which can have unexpected effects across your network. Some client operating systems such as FreeBSD do not have native split DNS configuration support, so you will need to have a backup DNS server that does that split DNS querying for you. It is a huge mess.
Where can I use split DNS?
You can use split DNS to namespace internal services in such a way that attackers from the public internet can’t easily use names of internal services to attack them from outside. A private DNS server can have a separate set of DNS records to keep track of. Clients can be configured to use this DNS server for certain queries to avoid those requests going over the public internet.
Split DNS configurations have also been used in order to avoid problems related to NAT hairpinning. This happens when you have a service that is hosted behind an NAT gateway that you want to expose to the internet using a public IP address, but your NAT gateway doesn’t allow other devices on that network to connect to that service using the public IP address. To work around this, the DNS entry for that service for the public internet can be set to the public address of the NAT gateway, and another DNS server can return the internal private IP address of the service in question.
Implementing split DNS using Tailscale
Tailscale makes implementing split DNS easy. With Tailscale, each device in your network is assigned a unique IP address that does not change, regardless of where the device is located. Every machine on your tailnet can be accessed by this address, which makes it easy to connect to FTP servers, internal services, and any of the other things you can do with computer networks.
However, these IP addresses aren’t as easy for humans to remember as names are. Tailscale solves this by allowing you to use each machine’s hostname to connect to it using MagicDNS. This allows you to address a machine as either www
or its full legal www.example.com.beta.tailscale.net
. This feature uses a split DNS configuration for your tailnet’s addresses so that the DNS names only work within your tailnet. Every machine on your tailnet is its own DNS server, which also allows DNS to be extremely reliable when using Tailscale.
To implement split DNS using Tailscale:
- Log in to your Tailscale account, then navigate to the DNS page on the admin console. This is where you can configure the split DNS setting for your network.
- On the DNS page, assign a name to your server using the Add Nameserver drop-down menu. From this drop-down, select the Custom option, then input the IPv4 or IPv6 address of the internal DNS server that is to be used to resolve internal queries.
- Finally, toggle the Restrict search domain button, fill the subsequent field with the desired web address name, and save the changes.
Benefits of using split DNS
There are many benefits to using a split DNS system. At a high level, you can think about it as your own private namespace for networked devices. Here are a few places where a split DNS configuration is a good idea.
Remote staff can access internal resources
With the recent expansion of remote work, one of the growing challenges organizations face is data security and privacy management. Split DNS adds a layer of obscurity to your organization’s network by making it difficult for external users to access internal services.
When you have both remote and local users in a network, you can configure internal-only DNS names for internal resources, services, servers, and applications. This lets you control your own DNS records so that you can have internal-facing applications be exposed only from inside your corporate network. These internal resources could be internal services that handle job postings, surveillance systems that aren’t exposed to the public internet, or anything that you can imagine using privately. It could even be an internal Minecraft server.
Improved network latency
A split DNS configuration allows DNS queries to be directed to the right server for the job. When setting up DNS servers, you are creating single points of failure that are very difficult to debug. A split DNS configuration for internal services means that your employees’ queries for Facebook, YouTube, or GitHub don’t result in additional load to your internal DNS server. This means your internal DNS server can go down and nothing else will be affected.
This also improves the experience for your employees in other offices or working remotely. They won’t need to deal with the latency to that internal DNS server every time they connect to a website on the internet; they will only need to deal with the latency when they connect to internal services. That added latency is what gives corporate VPNs their reputation for making internet connections slow.
Improved obscurity
Using a split DNS configuration lets you obscure the DNS responses for any domains you split off from public DNS. You can use this to separate out requests for internal-facing services to internal IP addresses, which lets you more easily separate internal requests from external ones.
Conclusion
A split DNS configuration is one way to help make sure that your internal services are secure. You can direct split DNS traffic to another server using a secure tunnel like Tailscale. This can be implemented with Tailscale or at the OS level directly. Tailscale allows you to set up split DNS configurations across all your devices and gives you an encrypted network tunnel, too.
FAQs
What is split DNS?
Split DNS - also known as split-brain DNS - is an infrastructure decision that allows you to separate your DNS server into two subdomains. When using a split DNS configuration, computers will direct DNS queries to different DNS servers based on the query being made.
Why would you use split DNS?
The main purpose of using split DNS is to hide the names of your internal network resources from the public. A split DNS configuration is an abstraction layer between your internal network resources and external users.
In addition to security and privacy management, split DNS can be used to allow remote staff to access internal resources, improve network latency, and allow administrative staff to have remote control over surveillance systems.
Is split DNS a security layer?
It depends. Split DNS is typically deployed in ways that let you obscure the DNS responses for internal services. Sometimes it is deployed to ensure that all DNS responses for internal services go over a secure tunnel like Tailscale. Sometimes it is deployed in an effort to reduce the risk of DNS cache poisoning.
Overall, split DNS is not a security layer, but it can be used to help you secure your systems by wiring it into other security layers.
Do I need split DNS?
It depends. Sometimes split DNS is used because it allows you to update the DNS records for internal-facing services faster than if you used the DNS servers for the public internet. Sometimes it is used to ensure that all DNS requests and responses go over a secure tunnel, because DNS is an unencrypted protocol. Sometimes it is used to work around technical limitations of the router your company uses. It really depends on the chosen set of tradeoffs between ease of use, obscurity, and record update speed.
What is split horizon DNS?
“Split horizon” is another term commonly used to describe what we are calling “split DNS” in this article.
What is a pinpoint DNS zone?
A pinpoint DNS entry is a DNS override for a single host only. This can be used to work around the NAT hairpinning issue mentioned earlier in this article.
What is DNS cache poisoning?
DNS cache poisoning (also known as DNS spoofing) is an attack where the attacker responds with the wrong DNS record for a given request faster than the actual DNS server can. This works because DNS is an unencrypted and unauthenticated protocol that travels over plaintext on the internet. This kind of attack is difficult to defend against, but can be mitigated for the important domains by using either DNSSEC or a split DNS configuration for your important services.
How can I prevent DNS cache poisoning attacks?
Using a split DNS configuration for important services such that the DNS server only listens over a secure tunnel like Tailscale is one of the most user-friendly approaches to prevent DNS spoofing. Options like DNSSEC are viable, but require very skilled and patient operators. Overall, DNS spoofing is such a low-level attack that it’s very difficult to fully prevent without a lot of effort.
Another strategy to prevent DNS spoofing attacks is to use DNS over HTTPS wherever possible. DNS over HTTPS uses a secure connection to perform DNS queries. When you set up a DNS server for your tailnet with Tailscale, Tailscale will automatically upgrade your client’s DNS requests to use DNS over HTTPS without any extra work required on your part.