DNS split & override - possible?



  • Hi there!

    Our requirement is to be able to override SOME public DNS records for development purposes. "DNS forwarder" has been serving us well so far. But now I need to put some devices in DMZ and need the DNS to render different IPs on the inside and on the DMZ interface. So we're talking about split DNS. And I am aware bind would be the thing I need, but unfortunatelly, I haven't been able to have the override feature in bind. From what I've read it's not possible to override only some public domain DNS records.

    So if I wanted www.google.com to be 1.1.1.1 on the indide interface and 2.2.2.2 on the DMZ interface (and leaving mail.google.com unaffected), what would my options be? Can the DNS resolver/ubound handle that scenario?

    TIA



  • I don't believe it's possible to do what you want, or at least I certainly don't know how to do it.  Considering how LAN and DMZ are both internal networks, I'm curious as to why you can't resolve a domain to the same IP address for both?  What is the scenario you're cooking up?



  • well, we have a server on the inside network (serving desktop workstations), but we don't want the mobile devices (and other) be in the inside network but in the DMZ. The server is exposed through a reverse proxy to DMZ.

    So for DMZ clients I would need to provide a 2.2.2.2 IP (reverse proxy) and the inside ones should use 1.1.1.1 IP (server itself).

    I got that working with bind, but bind can't seem to handle transparent DNS zones (or whatever it's called, the overriding of few domain hosts).



  • I got that working with bind

    How?  Or do you mean you have the standard DNS Resolver bound to LAN and a Bind instance bound to DMZ, each serving a different address for the same host?


  • Banned

    @KOM:

    I got that working with bind

    How?

    See the "'split' DNS using views" example @ http://www.zytrax.com/books/dns/ch7/view.html

    @OP: Run the forwarder on a different port, and use forward only zone in bind to point it to the forwarder for those cases where you need the "transparent" overrides?


  • LAYER 8 Netgate

    I got that working with bind, but bind can't seem to handle transparent DNS zones (or whatever it's called, the overriding of few domain hosts).

    If you have a zone that you want to appear the same except for a few records, I think you are on the right track.  You might need to get a little creative using views pointing to two different zone files that have the different records in them but both include the same file that contains the records that you want to be the same in both views.  Bind will pretty much do anything.



  • @doktornotor:

    @OP: Run the forwarder on a different port, and use forward only zone in bind to point it to the forwarder for those cases where you need the "transparent" overrides?

    Hi Doktornotor!

    I'm using pfsense 2.2, should I use "DNS resolver" or "DNS forwarder"?
    So if I do as you recommend, I would be able to override for example www.google.com only and have ALL other google.com hosts handeled by google authoritative DNS Server?

    OK, so I've enabled DNS forwarder, port 1053, entered www.google.com = 8.8.8.8 .
    Bind: new zone, "google.com", do I enter "forward" or "redirect" in "Zone type"? Where do I put the 127.0.0.1:1053 entry? I can't get the bind to start with those settings.

    Bye


  • Banned

    No idea about the bind pfSense package…

    
    zone "example.com" IN { type forward;
            forwarders { 127.0.0.1 port 1053; };
            forward only;
    };
    
    

    @marama:

    OK, so I've enabled DNS forwarder, port 1053, entered www.google.com = 8.8.8.8 .

    Huh? You put the IP address this should resolve to into the overrides. 8.8.8.8 is the Google's public DNS, this most certainly will NOT work for overriding www.google.com website.



  • See the "'split' DNS using views" example

    I had no idea about the views functionality.  Thanks for the tip.



  • @doktornotor:

    No idea about the bind pfSense package…

    
    zone "example.com" IN { type forward;
            forwarders { 127.0.0.1 port 1053; };
            forward only;
    };
    
    

    @marama:

    OK, so I've enabled DNS forwarder, port 1053, entered www.google.com = 8.8.8.8 .

    Huh? You put the IP address this should resolve to into the overrides. 8.8.8.8 is the Google's public DNS, this most certainly will NOT work for overriding www.google.com website.

    It seems to be workin!!!! Thanx a lot.
    The problem was I was setting the forwarder to "127.0.0.1:1053" instead of "127.0.0.1 port 1053".
    "www.google.com = 8.8.8.8" was just a host override I put in DNS forwarder, just so I could test. Is working!



  • @marama:

    It seems to be workin!!!! Thanx a lot.
    The problem was I was setting the forwarder to "127.0.0.1:1053" instead of "127.0.0.1 port 1053".
    "www.google.com = 8.8.8.8" was just a host override I put in DNS forwarder, just so I could test. Is working!

    AAAGHHH!
    My scenario is too complicated for this after all.

    I need to split and forward/override the same domain. So if I wanted to manipulate for example google.com so I have:

    www.google.com inside = 1.1.1.1 (override)
    www.google.com dmz = 2.2.2.2 (override)
    mail.google.com normal (no override for inside and dmz)

    that seems to be not possible because I can have only one "DNS forwarder" service and if I split in bind, I can only forward them to the same "DNS forwarder". The only alternative I see would be running another "DNS forwarder" instance on pfsense appliance and having the split DNS forward the requests there too.
    I've tried running "DNS resolver" and "DNS forwarder" at the same time, but that wouldn't work even if the ports are different.
    Any point in trying to install "dns-server" package (TinyDNS) and trying to run that on another port without breaking bind (port 53) and dns-forwarder (port 1053)?

    EDIT: "dns-server" (TinyDNS) doesen't seem to be able to run on port other then 53, so this will not work as I already have bind running on 53 ;(


  • Banned

    It would seriously help to describe what you are trying to do. "Splitting" www.google.com in two bogus IPs depending on subnet makes totally no sense. If you are trying to block something, perhaps just use a proxy.



  • @doktornotor:

    It would seriously help to describe what you are trying to do. "Splitting" www.google.com in two bogus IPs depending on subnet makes totally no sense. If you are trying to block something, perhaps just use a proxy.

    Spoofing www.google.com in 2 bogus IPs depending on subnet was just an example, I can explain the need for that if that might help you help me.

    So we have a Jira server on the inside (192.168.0.0), and it has a base name "jira.domain.com" . We use a nginx proxy in DMZ subnet (10.0.0.0) to make it accessable from the outside and from the DMZ clients (such as mobile devices). We need to resolve "jira.domain.com" to 3 different IPs - depending on clients subnet. "domain.com" has an authorative DNS server out of our scope, we just need to override the "jira.domain.com" entry. So I took google.com as an example because we ofcourse are not authorative for the domain.

    Any suggestions are welcome ;)

    P.S. we don't want to expose jira to the DMZ because it relies a lot on other inside servers, and mobile devices need to go in DMZ. Nginx proxy server does the SSL termination for the outside and DMZ. Also inside clients need to go through DMZ in order to talk to jira server because of the SSL.


  • Banned

    Make a delegation for jira.domain.com on the authorative DNS server and use the views with bind running on pfSense? (Make sure the public view does NOT have recursion enabled.)

    http://www.zytrax.com/books/dns/ch9/delegate.html



  • @doktornotor:

    Make a delegation for jira.domain.com on the authorative DNS server and use the views with bind running on pfSense? (Make sure the public view does NOT have recursion enabled.)

    http://www.zytrax.com/books/dns/ch9/delegate.html

    We don't really controll the authorative DNS zone. The DNS is hosted non-bind web mask where you put A/CNAME/SRV/TXT records (we can put single records there). So we don't really have much say on the authorative DNS, I need to aproach this on premise and have public jira.domain.com record point at our nginx exposed public IP. That works just fine, I "just" need to handle the inside/DMZ calls.

    But as I understand (as you suggested), havin an additional pfsense run dns-forwarder, and having bind split the zone (inside/dmz) to the 2 dns-forwarders, I guess the concept would work. Too bad I need another pfsense apliance/vm for that, but that would be doable I guess. Total of 4 DNS servers for this, hehe.


  • Banned

    I do not think messing with DNS is a sane approach for this. Move to something else.


  • LAYER 8 Netgate

    We don't really controll the authorative DNS zone.

    Well that changes everything.



  • @Derelict:

    We don't really controll the authorative DNS zone.

    Well that changes everything.

    Ups, I didn't think it was necessary to point out we don't control authorative DNS of Google.com (that was the example I've been working with from the very first post).

    Anyway, thanks for helping guys, I'll rethink the whole concept and maybe I come up with something more manageable. An thinking DHCP served client specific DNS server entries (anyone know how to set the DNS port in dhcp)

    Bye



  • I dont mean to bringback a topic that is 2 years old but I would like to know how this turned out and if any new enhancements have made this feasible? I am also trying to have 2 INSIDE subnets resolve 2 different IP's for the same FQDN


Log in to reply