Split DNS with multiple internal destinations


  • Hi,

    I may be misunderstanding how the Split DNS thing is supposed to work (NAT Reflection does not work for me). I have two IP cameras in my home network. Internally, they are at my x.x.x.198 and 199 addresses and both have a destination port of 9999. To reach each of these cameras externally (from the internet), I point at my Dynamic DNS destination address and point to ports 4000 and 4001 depending on the camera.

    The only way I can reach these cameras from within my network is by connecting to a VPN first or  use their internal static IPs.

    Will the Split DNS work if I am targeting two hosts internally?  Should I do some kind of port forwarding?

    Should I create new hostname for each of the cameras such as cam1.example.com and cam2.example.com and configure those with the Split DNS?

    DNS reflection just doesn't work and I am trying to figure out a solution for this.


  • Is using their LAN IPs a problem?  That's all that Split DNS does, it gives you the internal IP instead of the external IP for the same host.  Running an internal DNS seems overkill just to access a pair of cameras.  If you only ever access these cameras internally from your workstation, updating your hosts file may be a much simpler solution.


  • @KOM:

    Is using their LAN IPs a problem?  That's all that Split DNS does, it gives you the internal IP instead of the external IP for the same host.  Running an internal DNS seems overkill just to access a pair of cameras.  If you only ever access these cameras internally from your workstation, updating your hosts file may be a much simpler solution.

    I like being able to wake up my phone, open the app and see that all is well at my house. I would like to be able to grab my phone after hearing a noise in the middle of the night and take a look without first having to connect to another network via VPN or edit each camera to point to internal IP and then change it back again later when I am at work.

  • LAYER 8 Global Moderator

    I think you have gotten stuck on a term you don't really understand "split" dns..

    I would assume your internal network is using pfsense for dns?  Pfsense is quite capable of providing name resolution for you..  If you access your cameras with say
    host.someoutsidedyndnsdomain.tld while your outside using public dns.

    then just setup host over rides for that in in pfsense to point that fqdn to your rfc1918.199 or rfc1918.198 address - I would use cam1 and cam2 for example - then just use whatever port they use.

    Now when you outside host.someoutsidedyndnsdomain.tld using public dns it resolves to your public IP.  I would use cam1 and cam2 on the outside as well.  then on the inside when your using pfsense as your dns - cam1.someoutsidedyndnsdomain.tld and cam2 point to your private IP address.  Your going to have to setup different shortcuts for the ports because your running different ports on the outside than the inside.  So why can you just not setup 2 different links to your cameras private IPs in the first place?

    On a side not its not really good practice to make stuff like cameras open to the public net be it you run on oddball port or not.  A vpn into your network is the better way to access stuff like security cameras while outside your network to be honest.


  • i have the same problem, i cant access my xxxx.no-ip from isnside my network

    but in terms of security, i have firewall rules to only allow my work IP to access my camera port forwarding, and the subnet for my 4G mobile connection, all other wont pass the firewall from outside…..

  • LAYER 8 Global Moderator

    If you want to access your public IP while your inside the network then you have to enable nat reflection.  This really is not a very good solution to the simple problem of name resolution.  As I thought I clearly went over just setup pfsense to resolve whatever.no-ip to your private IP when you using the lan side of pfsense be it wired or wireless on your phone, etc.

    If your phone is using the cell connection then it would be outside and use the public IP of your no-ip setup and your port forwards.  If inside on your wifi it resolves your internal IP


  • exactly, the issue is on my internal wifi it doesnt work…. split dns will only allow one not the other as they share the same hostname.

  • LAYER 8 Netgate

    Well, you're going to have to have two hostnames.  It's two hosts.


  • hm, may I add my question to this thread. I have an Exchange Mailserver and a postfix Mailserver in the same LAN behind a pfsense Router. Both have their on public IP adress (WAN side). Every is working perfectly, except for the fact, that both mailservers can send/receive mail to/from each other. This is duo to the fact, that one mail Server can not connect to the other with the public WAN IP.

    I think DNS Splitting is no possible Option for me, since the Exchange requires to have localhost for the Primary DNS Server.
    I tried NAT reflection (I just enabled it under Advanced Settings of pfSense), but this didn t work.

    The easiest test to find out if everything is working is traceroute. But I can't traceroute the public IP of the Exchange from the other mail Server.

    Does anyone have an idea for me?

  • LAYER 8 Netgate

    When a host on the outside says, "where is mail1.example.com?" they get 209.224.34.45
    When a host on the outside says, "where is mail2.example.com?" they get 209.224.34.46

    Do this by placing the A records for the VIPs that get forwarded to the mail servers in your global DNS.

    When a host on the inside (including your mail servers) says, "where is mail1.example.com?" they get 192.168.10.3
    When a host on the inside (including your mail servers) says, "where is mail2.example.com?" they get 192.168.10.4

    Do this in host overrides in DNS forwarder / DNS resolver, or in your windows zone.

    If your windows DNS can't do this, then let it handle internal queries with internal answers and farm out the external, global DNS to he.net, dyn, zoneedit, etc.