Split horizon



  • Hi,

    I'm pretty new to pfSense.  I've got a test system up and running since last weekend.  I'm planning to migrate my network over once I work out the kinks.  I've got several web sites, and ~10 computers on my live network, and just a couple hosts on the test network.

    I've been digging through the forums trying to find out the correct way to handle a dns issue.  I've got 32 static IP addresses, and I run SSL for web sites, meaning each has to have its own IP.

    wan: 216.248.85.96/27
    lan: 192.168.80.1
    dmz: 192.168.81.1

    I'm using 1:1 NAT successfully.

    // ssh attempt from internal network, using internal IP, successful
    $ ssh root@192.168.81.100
    root@192.168.81.100's password:

    // ssh attempt from internal network, using external IP, unsuccessful
    $ ssh root@216.248.85.126
    ssh: connect to host 216.248.85.126 port 22: Connection timed out

    So, it appears that when inside the network, I should use the internal IP, and when outside the network, use the outside IP.  I'm fine with that.  DNS normally just wants to hand out one IP, however.

    http://www.guinix.com/technote/dualdns.html describes two tinydns methods for handling a split horizon.  Option one, multiple servers, and option two, record tagging.  Neither of which (from my reading) seem easily supported by pfsense.  I'm leaning towards option two, using the %IN or %EX tagging, but the web interface doesn't seem to support it in any way, and in fact makes it very difficult since the tagging is to come after the TTL field, and the tinydns data file is rebuilt from an xml file.

    What is the best way to handle a split horizon in the pfsense world?

    Thank you.

    Regards,
    Rich



  • http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F
    Method 2 describes how you can do that pretty simple with the DNSforwarder on pfSense.



  • @GruensFroeschli:

    http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F
    Method 2 describes how you can do that pretty simple with the DNSforwarder on pfSense.

    Thank you kindly for the documentation pointer.  I think I will attempt to use method two.  From what I can see, it should work just fine.

    Thank you.

    Regards,
    Rich



  • Hi,
    is it possible to configure tinydns as a split horizon dns server?
    I've tried to use tinydns (listening on 127.0.0.1) to serve external requests (authoritative server) and internal dnsforwarder to serve internal clients, but it dosen't work.
    Thankyou for help,
    Emanuele


Log in to reply