Is it a Split-Brain DNS I need?



  • My home network kicks ass thanks to pfSense, but it's growing larger everyday and I think now it's time to somehow implement more DNS functionality.  I now have multiple web servers within my system, some in the LAN and some in DMZ and I want to be able to access them externally.  My current setup using NAT + firewall rules works great for any external request, but I only get 1 option for each port.  Port 80, go here, 8080, go here.  What I want is for port 80 to go to different webservers depending on the subdomain specified, like web.bunkerhollow.com vs media.bunkerhollow.com vs mail.bunkerhollow.com.  I think what I need is a split-brain dns but from what I've read it seems a little complicated and I was thinking maybe there is an easier way.

    My setup consists of 4 interfaces; WAN, LAN, DMZ and WIFI.  I'm using PPTP VPN with Windows RADIUS authentication.  My domain controller and dns server are in the LAN.  My webserver and email server are in the DMZ.  But I've added a VoIP Asterisk box in the LAN and I'd like to expose the website for accessing voicemail externally.  I bought my domain name from GoDaddy and in their 'Total DNS Control' I've hardcoded my IP address (which thankfully never changes) to forward everything to my network at home.

    I currently have an internal DNS (Windows 2003) machine in my LAN which resolves everything wonderfully except for internal web requests, which reminded me I have another question.  My website is a community server site and internally I have to access it using an alias (http://bh/), browsing to http://bunkerhollow.com internally never works.  It's not a huge deal, it just becomes a pain when I upload pictures because then I have to edit the html of the blog post manually to change all references of http://bh/blog/pictures… to http://bunkerhollow.com/blog/pictures/.  I'm hoping someone knows an easy way to fix this too.



  • Well unless you have multiple IPs split DNS will not solve the problem of having to forward different ports to separate web servers. You can either run the websites all off one machine with virtual hosting or you'll need to implement a reverse proxy.

    Split DNS will address not being able to use your external host name internally. Actually you could enable NAT reflection in pfSense, but that puts more load on the pfSense box.

    If you don't host your own external DNS and only your internal clients use your Windows 2003 DNS servers just create zone files for each domain pointing it to your web server's internal IP. Otherwise if your Windows 2003 DNS server serves external clients you'll need to define views based on the IP requesting the DNS lookup. That way internal clients receive the internal server IP and vice versa.



  • I only have 1 IP address, so I guess we can scratch split-brain off the list.  Can you elaborate a little on virtual hosting or a reverse proxy?  Are either integrated in pfSense?  My webserver is already actually a virtual machine, that's not what you mean by virtual hosting is it?

    With the zone files, I just have a single domain, with three subnets.  LAN=xxx.xxx.1.xxx DMZ=xxx.xxx.2.xxx and WIFI=xxx.xxx.3.xxx so I don't know if the zone files would apply?  The subdomains I can set through GoDaddy where I can have up to 99 subdomains (whatever.bunkerhollow.com) link to any url I want.  If all my websites were on the same machine this would work, I would just link the subdomains to different virtual directories.  Unfortunately, my websites are on different machines and I can't combine them.

    As far as putting additional load on my pfSense box, that's not a problem.  It's a 2ghz P4 with a gig of ram.  I'm just looking for the easiest solution.



  • The virtual hosting has nothing to do with pfSense. I know IIS and apache allow you to host multiple websites with one IP by using the hostname to identify them. If you could put all the sites on one box this would work. However you said you can't do that.

    A reverse proxy sits in front of the web servers. I know apache supports this. You would set all your website domains to point to its IP. Then you would configure apache virtual hosts and the reverse proxy parameters. It would server as the middle man between the clients and the web servers. The downside is the reverse proxy configuration can be a pain to get right when using dynamic applications.

    When I said zone files I meant DNS zones, not DHCP. It looks like the DNS for your domains are hosted in GoDaddys DNS control panel. That's how I do mine as well. I run an internal DNS server with the exact same DNS configuration as the GoDaddy DNS setup, except the IPs are the internal IPs.

    Externally nothing changes. Internally yourdomain.com will resolve the the server's private IP.



  • Ahhh bummer.  I guess there's no good way to accomplish this.  I'll just VPN in and access it that way.  Thanks for the replies.



  • Hello.  Im fresh off years of ipcop and before that smoothwall.  pfsense looks like a great product, there seems to be so many officially supported options in the gui that were not available in ipcops gui.

    but in reference to this thread.

    i host ispconfig.  mostly just one site and some testing on others.  ispconfig directs browsers to the proper virtual site by dns (i guess ; ) anywaz i couldnt reach my sites from my lan either.  so the simple trick for me was to

    pfsense:80 > System > Advanced > Disable NAT Reflection.
    test and now i can reach my virtual sites from my lan.

    Im not sure what disabling NAT Reflection really entails if it is a horrible security risk or just makes port forwarding/nat more work. ??
    Cheers



  • I knew someone out there must have fixed this problem at some point!  Thanks for the reply.  Hopefully someone else can comment on the consequences of disabling NAT Reflection because I also don't know much about it.  If I don't hear anything more about it, when I get some free time I'll just disable it and then see what breaks.



  • @Tai:

    Im not sure what disabling NAT Reflection really entails if it is a horrible security risk or just makes port forwarding/nat more work. ??
    Cheers

    It's not a security risk, it just puts more load on the pfSense box. The domain name you use to access your virtual sites internally looks up to a public IP. Thus the request goes out to the pfSense box. Enabling NAT reflection allows the pfSense box to redirect the request back into the internal network to the correct host.

    If you had split DNS when inside your network the domain name would look up to the internal IP of the server. This would avoid the unnecessary loop to the pfSense box as the request would go directly to the server. When outside your network the domain name would look up to your public IP.


Locked