BIND DNS - how to forward queries based on source IP?



  • Hi there,
    I have BIND DNS set up with a zone for my internal domain. This zone contains a number of A records all pointing to HAProxy, which in turn sends queries to the relevant backends for various internal services.

    I would like to have the default action be for BIND to resolve that zone, and any other queries for external domains are recursed to the ROOT/TLD and not use additional external cache/resolver DNS when queries come from LAN clients.

    That all works fine, but what I would like to set up is certain source IPs on the LAN to resolve my internal hosted zone as per the above, but then any other external DNS queries get sent to nominated external resolver.

    e.g. Internal zone: *.internal.com

    LAN ip's: 192.168.1.2 - 192.168.1.50 all queries resolved by BIND or sent to TLD/ROOT servers if they are external.

    LAN ip's: 192.168.1.51 - 192.168.1.100 all queries resolved by BIND or sent to 1.1.1.1

    both sets of IPs need to be able to resolve the internal.com domain.

    I am pretty sure i'd need to set up an ACL for one of the subsets? Any other pointers on how this can be done?


  • LAYER 8

    i think with acl, something like this .. maybe, never done it like this, I usually put stuff on a different network

    acl siteA {
        192.168.1.2/32;
        192.168.1.3/32;
         .......
    };
    
    acl siteB {
        192.168.1.51/32;
        192.168.1.52/32;
       .........
    };
    

    and

    view "siteA" {
        match-clients {
            siteA;
        };
        ...other options ...
    };
    
    view "siteB" {
        match-clients {
            siteB;
        };
        ...other options...
        forwarders {
          1.1.1.1
        };
    };
    


  • ahh, yep, OK that makes sense.

    dumb question, how/where to add these options? i tried pasting the:

    forwarders {
    1.1.1.1 };

    in the view "Custom Options" box in the GUI, but BIND wouldn't load and logs said fatal error.

    is there a different format for using the custom options, or do I need to SSH to the pfsense box and edit them there manually to do this?

    Not much in the way of documentation for the BIND package it seems.


  • LAYER 8

    i forgot a ";" after 1.1.1.1

    forwarders {1.1.1.1;};
    

  • LAYER 8 Global Moderator

    You understand that anything that gets forwarded will be cached, and any other client would be able to resolve it.

    Lets say for example you don't want client A to resolve google.com
    But you want client B to be able to resolve google.com

    If B resolves google.com, its now cached and A would be able to resolve it.

    The cache is common to all clients, you can not really do selective forwarding with a caching NS.. And not have unwanted consequences because of the shared cache.

    The best course of action if you want clients to get different stuff like this, is to use 2 different NS so you have different caches for your groups of clients.

    Views are really designed to provide different "views" of the local resources. So you could say resolve X to Y for client A, and resolve X to Z for client B.. Where Y and Z are both local resources.



  • Hi John,
    Interesting. Although, reading here: https://kb.isc.org/docs/aa-00851 it says that views have separate caches by default, unless they are explicitly shared. Is this not the case in pfsense?

    I've now set up an ACL with the IP's i want to forward, i've also set up a separate view that has the custom option of: forwarders { 1.1.1.1; }; (the second colon is tricky!)

    doing a DNS leak test now definitely shows that IP's on the new ACL indeed are using 1.1.1.1

    whereas the other original IPs on the initial view continue to use the BIND DNS to recurse TLD/ROOT servers, and DNS leak test thereby shows my external IP address as the DNS server.

    both views are added to my internal zone, and can resolve those internal addresses.

    This is basically what i was trying to achieve, and seems to be working now.


  • LAYER 8 Global Moderator

    Unbound the cache is shared... But if your cache is actually different in bind.. Then you should be fine. I would suggest you thoroughly test this to make sure..

    Good info you linked to - thanks..


Log in to reply