1
00:00:00,000 --> 00:00:17,320
Hey everyone and welcome back. So now what I want to talk to you about is the concept

2
00:00:17,320 --> 00:00:25,039
of something known as split DNS. So what exactly is split DNS and why would we use it? So imagine

3
00:00:25,439 --> 00:00:31,480
an internal network and we also have an external network. So what do I mean when I say this?

4
00:00:31,480 --> 00:00:37,799
Imagine that we have maybe a web server that is used for public consumption. You know the way

5
00:00:37,799 --> 00:00:44,640
you can go to CBTNuggets.com as a user of CBTNuggets and from the comfort of your house you can

6
00:00:44,640 --> 00:00:50,079
access CBTNuggets servers. This is ultimately external access. You know you're not actually a

7
00:00:50,079 --> 00:00:56,879
part of CBTNuggets local network. You're accessing your services over the internet. Now when you

8
00:00:56,879 --> 00:01:03,079
happen to access our servers you go into your web browser and you type in you know CBTNuggets.com

9
00:01:03,079 --> 00:01:10,680
and as we've discussed DNS is going to resolve this hostname, return to you an IP address and your

10
00:01:10,680 --> 00:01:17,319
browser can make that connection to our services. Again the key point here is that this is external.

11
00:01:18,119 --> 00:01:24,439
So whether it is CBTNuggets or it is another company let's maybe just say Google for example.

12
00:01:24,439 --> 00:01:30,759
We want to be able to have that clear delineation and separation of the external network from the

13
00:01:30,759 --> 00:01:37,799
internal network. So like I say users can access public services but what if and again I'm just

14
00:01:37,799 --> 00:01:43,799
guessing here but what if Google had a human resources department and I'm sure they actually

15
00:01:43,799 --> 00:01:48,840
do have a human resources department. They are a very large corporation after all that dealt with

16
00:01:48,840 --> 00:01:56,039
issues related to their internal employees. Really there is no need for these types of services

17
00:01:56,039 --> 00:02:02,280
to be exposed to the public. So when someone who is within the company perhaps wants to go to

18
00:02:02,280 --> 00:02:09,960
hr.google.com they would actually like this domain to be resolved and resolve to you know like a

19
00:02:10,040 --> 00:02:17,879
private IP address within the company network. So 192,168 maybe 50.1 say for example. Whereas

20
00:02:17,879 --> 00:02:24,360
someone who is out with the local network i.e a regular user like you or I they would not

21
00:02:24,360 --> 00:02:31,640
have any use or any business quite frankly accessing this domain. So clearly here we have

22
00:02:31,640 --> 00:02:38,200
two different purposes with respect to DNS and this is really what split DNS is all about. So one

23
00:02:38,199 --> 00:02:45,000
of the ways we can actually separate this is by having two different DNS servers. So one DNS server

24
00:02:45,000 --> 00:02:51,719
is going to handle internal requests and the other one is going to handle external requests. So that

25
00:02:51,719 --> 00:02:58,439
means if someone who is within the network makes a request to say for example google.com they can

26
00:02:58,439 --> 00:03:05,639
actually query the local DNS server and get a completely different result from someone who

27
00:03:05,639 --> 00:03:12,839
would access this information via the external DNS server. So really all you do is within your

28
00:03:12,839 --> 00:03:18,599
internal server you would just create another zone file for that particular domain say for example

29
00:03:18,599 --> 00:03:26,839
google.com. So that would mean that local users are going to query the internal DNS server to get

30
00:03:26,839 --> 00:03:32,759
the internal DNS results relating to say for example private IP address information and

31
00:03:32,759 --> 00:03:38,679
domain name information. However those users will still have a need to access and consume

32
00:03:38,679 --> 00:03:45,560
public internet services let's maybe say they want to go to wikipedia.org to do some research for

33
00:03:45,560 --> 00:03:51,319
example. Well our private DNS server is not necessarily going to be configured to have this

34
00:03:51,319 --> 00:03:57,079
information so what is ultimately going to happen is for information that the private DNS server does

35
00:03:57,080 --> 00:04:04,360
not have it can then forward that request to the external server and then the external server

36
00:04:04,360 --> 00:04:09,800
just like it ordinarily would would go through the process of resolving that information. So think

37
00:04:09,800 --> 00:04:17,240
about it we have an internal user right here who has access to an internal DNS server so if this

38
00:04:17,240 --> 00:04:23,480
user accessed internal resources within their company they would get this private information

39
00:04:23,480 --> 00:04:28,840
returned back to them. However if they try to access the regular public internet and this

40
00:04:28,840 --> 00:04:34,120
DNS server does not have that information that DNS server is just simply going to forward that

41
00:04:34,120 --> 00:04:40,439
information to the external DNS server which is also configured and this one can then handle that

42
00:04:40,439 --> 00:04:48,520
request meaning that this user can get both private internal DNS information as well as also resolve

43
00:04:48,519 --> 00:04:55,159
generic information over the public internet. So this is a really good way to separate and secure

44
00:04:55,799 --> 00:05:01,479
your private internal DNS servers because the alternative would be is that you place these

45
00:05:01,479 --> 00:05:08,519
records all in the same external public DNS server that everyone else could be using. Now the problem

46
00:05:08,519 --> 00:05:13,879
with this is that you're leaking private data things like your private IP addressing and your

47
00:05:13,959 --> 00:05:19,159
private domain names that you don't want to be accessible to the public. So really at its core

48
00:05:19,159 --> 00:05:24,920
split DNS is really all about that it's about separating this out and giving those users

49
00:05:24,920 --> 00:05:31,959
the ability to access this information in a private way and without compromising their ability to

50
00:05:31,959 --> 00:05:37,240
utilize and consume regular public services that you would ordinarily use on the internet say for

51
00:05:37,240 --> 00:05:42,680
example. So really for the purposes of the LPIC2 examination this is really the concept we want

52
00:05:42,680 --> 00:05:49,079
to understand why would we have a split DNS configuration we want that nice separation of

53
00:05:49,079 --> 00:05:55,480
our private services from our public services and we want to understand some basic core components

54
00:05:55,480 --> 00:06:02,439
notably that both the internal and external DNS servers both of these would actually be

55
00:06:02,439 --> 00:06:08,120
configured to be master servers. Remember we talked about that in the previous nuggets also

56
00:06:08,120 --> 00:06:14,040
like I say we want to be remembering that for requests that the internal DNS server

57
00:06:14,040 --> 00:06:20,759
cannot resolve these can be forwarded to the external DNS server and it's ultimately using

58
00:06:20,759 --> 00:06:27,000
this architecture that is going to allow you to protect your internal systems so that they are not

59
00:06:27,000 --> 00:06:33,319
accessible outside of your private internal network and those really are the main concepts of split

60
00:06:33,319 --> 00:06:37,879
DNS that we have to understand for the purposes of the examination so I hope this has been informative

61
00:06:37,879 --> 00:06:41,879
for you I'd like to thank you for viewing.