One of the findings we commonly have when running our External Discovery service is that DNS administrators have accidentally or unwittingly exposed internal services to external audiences. Often, to make life easier for IT staff or other teams, administrators will set up DNS records to point at internal resources.
Examples we’ve discovered include links to stage and dev systems, HVAC control interfaces, digital video cameras and even private IP space in public DNS records.
The problem with this is you’ve exposed unnecessary information to attackers – they can pivot off of these DNS entries into targeted service discovery, credential stuffing attacks and more. The intention of making it easier for employees has in fact made it easier for attackers as well.
This is where split horizon DNS comes to play. Effectively, what split horizon DNS allows you to do is to serve up one set of DNS records to internal audiences, and a second set of DNS records to those outside your organization. This allows you to minimize the services you’re advertising to those which are truly intended to be accessed by third parties, making the process of discovery and vulnerability mapping harder and reducing your risk.
Helpful links/articles covering split horizon DNS (also often referred to as split brain, split view or just split DNS):
https://en.wikipedia.org/wiki/Split-horizon_DNS
https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/split-brain-dns-deployment
https://www.slashroot.in/how-to-configure-split-horizon-dns-in-bind
https://felixhanley.info/articles/split-horizon-with-tinydns/
Interested in understanding your external exposure? Consider signing up for our External Discovery service today.
