Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS split & override - possible?

    Scheduled Pinned Locked Moved DHCP and DNS
    19 Posts 5 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK Offline
      KOM
      last edited by

      I don't believe it's possible to do what you want, or at least I certainly don't know how to do it.  Considering how LAN and DMZ are both internal networks, I'm curious as to why you can't resolve a domain to the same IP address for both?  What is the scenario you're cooking up?

      1 Reply Last reply Reply Quote 0
      • M Offline
        marama
        last edited by

        well, we have a server on the inside network (serving desktop workstations), but we don't want the mobile devices (and other) be in the inside network but in the DMZ. The server is exposed through a reverse proxy to DMZ.

        So for DMZ clients I would need to provide a 2.2.2.2 IP (reverse proxy) and the inside ones should use 1.1.1.1 IP (server itself).

        I got that working with bind, but bind can't seem to handle transparent DNS zones (or whatever it's called, the overriding of few domain hosts).

        1 Reply Last reply Reply Quote 0
        • KOMK Offline
          KOM
          last edited by

          I got that working with bind

          How?  Or do you mean you have the standard DNS Resolver bound to LAN and a Bind instance bound to DMZ, each serving a different address for the same host?

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            @KOM:

            I got that working with bind

            How?

            See the "'split' DNS using views" example @ http://www.zytrax.com/books/dns/ch7/view.html

            @OP: Run the forwarder on a different port, and use forward only zone in bind to point it to the forwarder for those cases where you need the "transparent" overrides?

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              I got that working with bind, but bind can't seem to handle transparent DNS zones (or whatever it's called, the overriding of few domain hosts).

              If you have a zone that you want to appear the same except for a few records, I think you are on the right track.  You might need to get a little creative using views pointing to two different zone files that have the different records in them but both include the same file that contains the records that you want to be the same in both views.  Bind will pretty much do anything.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • M Offline
                marama
                last edited by

                @doktornotor:

                @OP: Run the forwarder on a different port, and use forward only zone in bind to point it to the forwarder for those cases where you need the "transparent" overrides?

                Hi Doktornotor!

                I'm using pfsense 2.2, should I use "DNS resolver" or "DNS forwarder"?
                So if I do as you recommend, I would be able to override for example www.google.com only and have ALL other google.com hosts handeled by google authoritative DNS Server?

                OK, so I've enabled DNS forwarder, port 1053, entered www.google.com = 8.8.8.8 .
                Bind: new zone, "google.com", do I enter "forward" or "redirect" in "Zone type"? Where do I put the 127.0.0.1:1053 entry? I can't get the bind to start with those settings.

                Bye

                1 Reply Last reply Reply Quote 0
                • D Offline
                  doktornotor Banned
                  last edited by

                  No idea about the bind pfSense package…

                  
                  zone "example.com" IN { type forward;
                          forwarders { 127.0.0.1 port 1053; };
                          forward only;
                  };
                  
                  

                  @marama:

                  OK, so I've enabled DNS forwarder, port 1053, entered www.google.com = 8.8.8.8 .

                  Huh? You put the IP address this should resolve to into the overrides. 8.8.8.8 is the Google's public DNS, this most certainly will NOT work for overriding www.google.com website.

                  1 Reply Last reply Reply Quote 0
                  • KOMK Offline
                    KOM
                    last edited by

                    See the "'split' DNS using views" example

                    I had no idea about the views functionality.  Thanks for the tip.

                    1 Reply Last reply Reply Quote 0
                    • M Offline
                      marama
                      last edited by

                      @doktornotor:

                      No idea about the bind pfSense package…

                      
                      zone "example.com" IN { type forward;
                              forwarders { 127.0.0.1 port 1053; };
                              forward only;
                      };
                      
                      

                      @marama:

                      OK, so I've enabled DNS forwarder, port 1053, entered www.google.com = 8.8.8.8 .

                      Huh? You put the IP address this should resolve to into the overrides. 8.8.8.8 is the Google's public DNS, this most certainly will NOT work for overriding www.google.com website.

                      It seems to be workin!!!! Thanx a lot.
                      The problem was I was setting the forwarder to "127.0.0.1:1053" instead of "127.0.0.1 port 1053".
                      "www.google.com = 8.8.8.8" was just a host override I put in DNS forwarder, just so I could test. Is working!

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        marama
                        last edited by

                        @marama:

                        It seems to be workin!!!! Thanx a lot.
                        The problem was I was setting the forwarder to "127.0.0.1:1053" instead of "127.0.0.1 port 1053".
                        "www.google.com = 8.8.8.8" was just a host override I put in DNS forwarder, just so I could test. Is working!

                        AAAGHHH!
                        My scenario is too complicated for this after all.

                        I need to split and forward/override the same domain. So if I wanted to manipulate for example google.com so I have:

                        www.google.com inside = 1.1.1.1 (override)
                        www.google.com dmz = 2.2.2.2 (override)
                        mail.google.com normal (no override for inside and dmz)

                        that seems to be not possible because I can have only one "DNS forwarder" service and if I split in bind, I can only forward them to the same "DNS forwarder". The only alternative I see would be running another "DNS forwarder" instance on pfsense appliance and having the split DNS forward the requests there too.
                        I've tried running "DNS resolver" and "DNS forwarder" at the same time, but that wouldn't work even if the ports are different.
                        Any point in trying to install "dns-server" package (TinyDNS) and trying to run that on another port without breaking bind (port 53) and dns-forwarder (port 1053)?

                        EDIT: "dns-server" (TinyDNS) doesen't seem to be able to run on port other then 53, so this will not work as I already have bind running on 53 ;(

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          doktornotor Banned
                          last edited by

                          It would seriously help to describe what you are trying to do. "Splitting" www.google.com in two bogus IPs depending on subnet makes totally no sense. If you are trying to block something, perhaps just use a proxy.

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            marama
                            last edited by

                            @doktornotor:

                            It would seriously help to describe what you are trying to do. "Splitting" www.google.com in two bogus IPs depending on subnet makes totally no sense. If you are trying to block something, perhaps just use a proxy.

                            Spoofing www.google.com in 2 bogus IPs depending on subnet was just an example, I can explain the need for that if that might help you help me.

                            So we have a Jira server on the inside (192.168.0.0), and it has a base name "jira.domain.com" . We use a nginx proxy in DMZ subnet (10.0.0.0) to make it accessable from the outside and from the DMZ clients (such as mobile devices). We need to resolve "jira.domain.com" to 3 different IPs - depending on clients subnet. "domain.com" has an authorative DNS server out of our scope, we just need to override the "jira.domain.com" entry. So I took google.com as an example because we ofcourse are not authorative for the domain.

                            Any suggestions are welcome ;)

                            P.S. we don't want to expose jira to the DMZ because it relies a lot on other inside servers, and mobile devices need to go in DMZ. Nginx proxy server does the SSL termination for the outside and DMZ. Also inside clients need to go through DMZ in order to talk to jira server because of the SSL.

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              doktornotor Banned
                              last edited by

                              Make a delegation for jira.domain.com on the authorative DNS server and use the views with bind running on pfSense? (Make sure the public view does NOT have recursion enabled.)

                              http://www.zytrax.com/books/dns/ch9/delegate.html

                              1 Reply Last reply Reply Quote 0
                              • M Offline
                                marama
                                last edited by

                                @doktornotor:

                                Make a delegation for jira.domain.com on the authorative DNS server and use the views with bind running on pfSense? (Make sure the public view does NOT have recursion enabled.)

                                http://www.zytrax.com/books/dns/ch9/delegate.html

                                We don't really controll the authorative DNS zone. The DNS is hosted non-bind web mask where you put A/CNAME/SRV/TXT records (we can put single records there). So we don't really have much say on the authorative DNS, I need to aproach this on premise and have public jira.domain.com record point at our nginx exposed public IP. That works just fine, I "just" need to handle the inside/DMZ calls.

                                But as I understand (as you suggested), havin an additional pfsense run dns-forwarder, and having bind split the zone (inside/dmz) to the 2 dns-forwarders, I guess the concept would work. Too bad I need another pfsense apliance/vm for that, but that would be doable I guess. Total of 4 DNS servers for this, hehe.

                                1 Reply Last reply Reply Quote 0
                                • D Offline
                                  doktornotor Banned
                                  last edited by

                                  I do not think messing with DNS is a sane approach for this. Move to something else.

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD Offline
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    We don't really controll the authorative DNS zone.

                                    Well that changes everything.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      marama
                                      last edited by

                                      @Derelict:

                                      We don't really controll the authorative DNS zone.

                                      Well that changes everything.

                                      Ups, I didn't think it was necessary to point out we don't control authorative DNS of Google.com (that was the example I've been working with from the very first post).

                                      Anyway, thanks for helping guys, I'll rethink the whole concept and maybe I come up with something more manageable. An thinking DHCP served client specific DNS server entries (anyone know how to set the DNS port in dhcp)

                                      Bye

                                      1 Reply Last reply Reply Quote 0
                                      • P Offline
                                        pr3dict
                                        last edited by

                                        I dont mean to bringback a topic that is 2 years old but I would like to know how this turned out and if any new enhancements have made this feasible? I am also trying to have 2 INSIDE subnets resolve 2 different IP's for the same FQDN

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.