Split DNS with Jabber and internal DNS

URUSU

• We have configured a pfsense as a DNS forwarder. PfSense has the address 192.168.0.1.

• We have an internal domain controller with the adress 192.168.0.10.

• We are using jabber from our internal network and from the outside.

• The jabber server has internal IP 172.24.5.2 and external IP XXX.XXX.XXX.XXX. Its dns is jabber.example.net

• The dns forwarder overrides the DNS name jabber.example.net to the internal address 172.24.5.2

• Our domain controller is also DHCP and DNS and uses pfsense as a forwarder

When we do a jabber lookup first and then a regular lookup the DNS cache on the domain controller becomes poluted with the external address:
(CLEAR CACHE / flush DNS on 192.168.0.10)
dig @192.168.0.10 _xmpp-client._tcp.example.net SRV
dig @192.168.0.10 jabber.example.net
The DNS on 192.168.0.10 now replies with the external address

(CLEAR CACHE / flush DNS on 192.168.0.10)
dig @192.168.0.10 jabber.example.net
dig @192.168.0.10 _xmpp-client._tcp.example.net SRV
The DNS on 192.168.0.10 now replies with the internal address

Logs are included below.

It looks like the DNS forwarder in pfSense doesn't override the name in the "ADDITIONAL SECTION" whereas the domain controller does.
As a workaround I'm overriding DNS names on the domain controller, this seems to work, but the internal DNS names are then not available on
my DMZ networks which use the dns forwarder on pfSense. Of course I could point pfSense to the DNS on 192.168.0.10 (bad idea …)

Thanks for your help.

CLEAR CACHE / FLUSH DNS on Domain controller (192.168.0.10)
dig @192.168.0.10 _xmpp-client._tcp.example.net SRV

; <<>> DiG 9.7.0-P1 <<>> @192.168.0.10 _xmpp-client._tcp.example.net SRV
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25989
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;_xmpp-client._tcp.example.net. IN SRV

;; ANSWER SECTION:
_xmpp-client._tcp.example.net. 3600 IN SRV 0 0 5222 jabber.example.net.

;; AUTHORITY SECTION:
example.net. 3600 IN NS ns2.isp.net.
example.net. 3600 IN NS ns1.isp.net.

;; ADDITIONAL SECTION:
jabber.example.net. 3600 IN A XXX.XXX.XXX.XXX
ns1.isp.net. 21600 IN A DDD.DDD.DDD.DDD
ns2.isp.net. 21600 IN A EEE.EEE.EEE.EEE

;; Query time: 35 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Wed Oct 27 11:52:05 2010
;; MSG SIZE  rcvd: 172

dig @192.168.0.10 jabber.example.net

; <<>> DiG 9.7.0-P1 <<>> @192.168.0.10 jabber.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34134
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jabber.example.net. IN A

;; ANSWER SECTION:
jabber.example.net. 3598 IN A XXX.XXX.XXX.XXX

;; Query time: 0 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Wed Oct 27 11:52:07 2010
;; MSG SIZE  rcvd: 47

dig @192.168.0.10 _xmpp-client._tcp.example.net SRV

; <<>> DiG 9.7.0-P1 <<>> @192.168.0.10 _xmpp-client._tcp.example.net SRV
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44398
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;_xmpp-client._tcp.example.net. IN SRV

;; ANSWER SECTION:
_xmpp-client._tcp.example.net. 3595 IN SRV 0 0 5222 jabber.example.net.

;; ADDITIONAL SECTION:
jabber.example.net. 3595 IN A XXX.XXX.XXX.XXX

;; Query time: 0 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Wed Oct 27 11:52:10 2010
;; MSG SIZE  rcvd: 93

CLEAR CACHE / FLUSH DNS on Domain controller (192.168.0.10)

dig @192.168.0.10 jabber.example.net

; <<>> DiG 9.7.0-P1 <<>> @192.168.0.10 jabber.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57530
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;jabber.example.net. IN A

;; ANSWER SECTION:
jabber.example.net. 0 IN A 172.24.5.2

;; Query time: 0 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Wed Oct 27 11:51:29 2010
;; MSG SIZE  rcvd: 47

dig @192.168.0.10 _xmpp-client._tcp.example.net SRV

; <<>> DiG 9.7.0-P1 <<>> @192.168.0.10 _xmpp-client._tcp.example.net SRV
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22022
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;_xmpp-client._tcp.example.net. IN SRV

;; ANSWER SECTION:
_xmpp-client._tcp.example.net. 3600 IN SRV 0 0 5222 jabber.example.net.

;; AUTHORITY SECTION:
example.net. 3600 IN NS ns1.isp.net.
example.net. 3600 IN NS ns2.isp.net.

;; ADDITIONAL SECTION:
jabber.example.net. 3600 IN A XXX.XXX.XXX.XXX
ns1.isp.net. 21600 IN A DDD.DDD.DDD.DDD
ns2.isp.net. 21600 IN A EEE.EEE.EEE.EEE

;; Query time: 41 msec
;; SERVER: 192.168.0.10#53(192.168.0.10)
;; WHEN: Wed Oct 27 11:51:31 2010
;; MSG SIZE  rcvd: 172