Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Split DNS with multiple internal destinations

    Scheduled Pinned Locked Moved NAT
    10 Posts 6 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zerodamage
      last edited by

      Hi,

      I may be misunderstanding how the Split DNS thing is supposed to work (NAT Reflection does not work for me). I have two IP cameras in my home network. Internally, they are at my x.x.x.198 and 199 addresses and both have a destination port of 9999. To reach each of these cameras externally (from the internet), I point at my Dynamic DNS destination address and point to ports 4000 and 4001 depending on the camera.

      The only way I can reach these cameras from within my network is by connecting to a VPN first or  use their internal static IPs.

      Will the Split DNS work if I am targeting two hosts internally?  Should I do some kind of port forwarding?

      Should I create new hostname for each of the cameras such as cam1.example.com and cam2.example.com and configure those with the Split DNS?

      DNS reflection just doesn't work and I am trying to figure out a solution for this.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Is using their LAN IPs a problem?  That's all that Split DNS does, it gives you the internal IP instead of the external IP for the same host.  Running an internal DNS seems overkill just to access a pair of cameras.  If you only ever access these cameras internally from your workstation, updating your hosts file may be a much simpler solution.

        1 Reply Last reply Reply Quote 0
        • Z
          zerodamage
          last edited by

          @KOM:

          Is using their LAN IPs a problem?  That's all that Split DNS does, it gives you the internal IP instead of the external IP for the same host.  Running an internal DNS seems overkill just to access a pair of cameras.  If you only ever access these cameras internally from your workstation, updating your hosts file may be a much simpler solution.

          I like being able to wake up my phone, open the app and see that all is well at my house. I would like to be able to grab my phone after hearing a noise in the middle of the night and take a look without first having to connect to another network via VPN or edit each camera to point to internal IP and then change it back again later when I am at work.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            I think you have gotten stuck on a term you don't really understand "split" dns..

            I would assume your internal network is using pfsense for dns?  Pfsense is quite capable of providing name resolution for you..  If you access your cameras with say
            host.someoutsidedyndnsdomain.tld while your outside using public dns.

            then just setup host over rides for that in in pfsense to point that fqdn to your rfc1918.199 or rfc1918.198 address - I would use cam1 and cam2 for example - then just use whatever port they use.

            Now when you outside host.someoutsidedyndnsdomain.tld using public dns it resolves to your public IP.  I would use cam1 and cam2 on the outside as well.  then on the inside when your using pfsense as your dns - cam1.someoutsidedyndnsdomain.tld and cam2 point to your private IP address.  Your going to have to setup different shortcuts for the ports because your running different ports on the outside than the inside.  So why can you just not setup 2 different links to your cameras private IPs in the first place?

            On a side not its not really good practice to make stuff like cameras open to the public net be it you run on oddball port or not.  A vpn into your network is the better way to access stuff like security cameras while outside your network to be honest.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • W
              wifiuk
              last edited by

              i have the same problem, i cant access my xxxx.no-ip from isnside my network

              but in terms of security, i have firewall rules to only allow my work IP to access my camera port forwarding, and the subnet for my 4G mobile connection, all other wont pass the firewall from outside…..

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                If you want to access your public IP while your inside the network then you have to enable nat reflection.  This really is not a very good solution to the simple problem of name resolution.  As I thought I clearly went over just setup pfsense to resolve whatever.no-ip to your private IP when you using the lan side of pfsense be it wired or wireless on your phone, etc.

                If your phone is using the cell connection then it would be outside and use the public IP of your no-ip setup and your port forwards.  If inside on your wifi it resolves your internal IP

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • W
                  wifiuk
                  last edited by

                  exactly, the issue is on my internal wifi it doesnt work…. split dns will only allow one not the other as they share the same hostname.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Well, you're going to have to have two hostnames.  It's two hosts.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • F
                      fritz89
                      last edited by

                      hm, may I add my question to this thread. I have an Exchange Mailserver and a postfix Mailserver in the same LAN behind a pfsense Router. Both have their on public IP adress (WAN side). Every is working perfectly, except for the fact, that both mailservers can send/receive mail to/from each other. This is duo to the fact, that one mail Server can not connect to the other with the public WAN IP.

                      I think DNS Splitting is no possible Option for me, since the Exchange requires to have localhost for the Primary DNS Server.
                      I tried NAT reflection (I just enabled it under Advanced Settings of pfSense), but this didn t work.

                      The easiest test to find out if everything is working is traceroute. But I can't traceroute the public IP of the Exchange from the other mail Server.

                      Does anyone have an idea for me?

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        When a host on the outside says, "where is mail1.example.com?" they get 209.224.34.45
                        When a host on the outside says, "where is mail2.example.com?" they get 209.224.34.46

                        Do this by placing the A records for the VIPs that get forwarded to the mail servers in your global DNS.

                        When a host on the inside (including your mail servers) says, "where is mail1.example.com?" they get 192.168.10.3
                        When a host on the inside (including your mail servers) says, "where is mail2.example.com?" they get 192.168.10.4

                        Do this in host overrides in DNS forwarder / DNS resolver, or in your windows zone.

                        If your windows DNS can't do this, then let it handle internal queries with internal answers and farm out the external, global DNS to he.net, dyn, zoneedit, etc.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.