DNS Deployment – Split Split Environment
February 18, 2008 — secauditorI recently provided a security review for a customer that revolved around their current deployment of BIND with a clustered DNS deployment and how I would recommend securing it to a higher degree. My recommendations focused around the implementation of a split-split DNS design.
This would create a multi level deployment between the Internal Network, DMZ and the outside world. This configuration is designed around a high availability, fault tolerant design, with the major drawback being that large amount of hardware required to implement it. This configuration necessitates the use of:
- Two Resolver DNS servers in a DMZ
- Two Advertiser DNS servers in a DMZ
- Two DNS servers internal on the local area network
There are two servers of each type to allow the fault tolerance and the load balancing. For each type of server DNS, there will be a primary and a secondary. There is zone transfers only between the primary and secondary servers.
Figure 1: Split-Split DNS
