Why do I need split DNS?

What is split DNS?

When you connect devices together in the same network, each device needs to be able to communicate with every other device. Each one also needs to be able to identify every other device on that network uniquely. In most cases, each device on a network will have its own IP address. IP addresses are either assigned to every network interface (such as the ethernet or Wi-Fi card used to connect to that network) by the router, or they are randomly assigned by convention, depending on which version of IP is being used. IP addresses also have a numeric representation such as 192.168.2.14 or fe80::8858:c070:1192:6168. Some people are able to remember these easily, but most people find it easier to remember names like tailscale.com instead of IP addresses like 37.16.9.210; this is why we need DNS. But computers want to be able to connect to IP addresses, so there needs to be some kind of translation step.

In most networks, this translation is done with a protocol called Domain Name System (DNS). Herein lies the importance of DNS, DNS receives questions like “What is the IPv4 address of tailscale.com?” and responds with answers like 37.16.9.210. Over time, this has become one of the most important protocols of the internet and helps the internet to scale, but most people outside the networking world have little or no understanding of it. DNS was designed to have the same questions result in the same answers everywhere in the world, which allows users to never have to think about IP addresses. Without this critical invention, the modern internet would not be possible.

When you set up a split DNS (also known as “split horizon” or “split-brain”) configuration, you create a DNS server that answers with a set of records that aren’t used on the public internet. Then you need to configure your computer to “split up” its queries between different servers. This allows you to send queries for every domain ending in .internal.example.com to an internal DNS server so that you can privately expose services without the DNS names being visible to the public internet.

This has been used to provide security through obscurity because it allows you to hide the names of internal network resources from external clients. This also helps prevent DNS cache poisoning attacks that could let an attacker access cookies or other secrets for internal services.

This is typically configured by using the native DNS configuration interface for every client operating system you use. This setup is fraught with opportunities for error and is typically very easy to mess up, which can have unexpected effects across your network. Some client operating systems such as FreeBSD do not have native split DNS configuration support, so you will need to have a backup DNS server that does that split DNS querying for you. It is a huge mess.

Where can I use split DNS?

You can use split DNS to namespace internal services in such a way that attackers from the public internet can’t easily use names of internal services to attack them from outside. A private DNS server can have a separate set of DNS records to keep track of. Clients can be configured to use this DNS server for certain queries to avoid those requests going over the public internet.

Split DNS configurations have also been used in order to avoid problems related to NAT hairpinning. This happens when you have a service that is hosted behind an NAT gateway that you want to expose to the internet using a public IP address, but your NAT gateway doesn’t allow other devices on that network to connect to that service using the public IP address. To work around this, the DNS entry for that service for the public internet can be set to the public address of the NAT gateway, and another DNS server can return the internal private IP address of the service in question.

Implementing split DNS using Tailscale

Tailscale makes implementing split DNS easy. With Tailscale, each device in your network is assigned a unique IP address that does not change, regardless of where the device is located. Every machine on your tailnet can be accessed by this address, which makes it easy to connect to FTP servers, internal services, and any of the other things you can do with computer networks.

However, these IP addresses aren’t as easy for humans to remember as names are. Tailscale solves this by allowing you to use each machine’s hostname to connect to it using MagicDNS. This allows you to address a machine as either www or its full legal www.example.com.beta.tailscale.net. This feature uses a split DNS configuration for your tailnet’s addresses so that the DNS names only work within your tailnet. Every machine on your tailnet is its own DNS server, which also allows DNS to be extremely reliable when using Tailscale.

To implement split DNS using Tailscale:

• Log in to your Tailscale account, then navigate to the DNS page on the admin console. This is where you can configure the split DNS setting for your network.
• On the DNS page, assign a name to your server using the Add Nameserver drop-down menu. From this drop-down, select the Custom option, then input the IPv4 or IPv6 address of the internal DNS server that is to be used to resolve internal queries.
• Finally, toggle the Restrict search domain button, fill the subsequent field with the desired web address name, and save the changes.

Benefits of using split DNS

There are many benefits to using a split DNS system. At a high level, you can think about it as your own private namespace for networked devices. Here are a few places where a split DNS configuration is a good idea.

Remote staff can access internal resources

With the recent expansion of remote work, one of the growing challenges organizations face is data security and privacy management. Split DNS adds a layer of obscurity to your organization’s network by making it difficult for external users to access internal services.

When you have both remote and local users in a network, you can configure internal-only DNS names for internal resources, services, servers, and applications. This lets you control your own DNS records so that you can have internal-facing applications be exposed only from inside your corporate network. These internal resources could be internal services that handle job postings, surveillance systems that aren’t exposed to the public internet, or anything that you can imagine using privately. It could even be an internal Minecraft server.

Improved network latency

A split DNS configuration allows DNS queries to be directed to the right server for the job. When setting up DNS servers, you are creating single points of failure that are very difficult to debug. A split DNS configuration for internal services means that your employees’ queries for Facebook, YouTube, or GitHub don’t result in additional load to your internal DNS server. This means your internal DNS server can go down and nothing else will be affected.

This also improves the experience for your employees in other offices or working remotely. They won’t need to deal with the latency to that internal DNS server every time they connect to a website on the internet; they will only need to deal with the latency when they connect to internal services. That added latency is what gives corporate VPNs their reputation for making internet connections slow.

Improved obscurity

Using a split DNS configuration lets you obscure the DNS responses for any domains you split off from public DNS. You can use this to separate out requests for internal-facing services to internal IP addresses, which lets you more easily separate internal requests from external ones.

Conclusion

A split DNS configuration is one way to help make sure that your internal services are secure. You can direct split DNS traffic to another server using a secure tunnel like Tailscale. This can be implemented with Tailscale or at the OS level directly. Tailscale allows you to set up split DNS configurations across all your devices and gives you an encrypted network tunnel, too.