Split DNS / horizon



  • Something I'd like to share with you and get your opinion:

    As we were discussing this feature in the French section of this forum, I decided to have a closer look at documentation  8)
    DNS Forwarder and  Unbound both provide override capability, which means that for internal users, pfSense DNS can return different IP but this is, to me, only very partial split DNS implementation.

    Dnsmasq could provide something closer to split horizon when using localise-queries option but I can't see such option in GUI (for DNS Forwarder.

    pfSense documentation explains "split DNS" with the override example, which I find to be slightly misleading, at least without some comments to explain that this is only very partial implementation of what is a true split DNS.

    Is my view truncated / biased or do you share my comment. In such case, would it make sense to ask for documentation adjustment ?



  • To me, split DNS simply means that you get different resolution depending on if you are internal or external.  That's it.  I don't know if there is an industry-accepted definition.  Lots of other technologies have only partial implementations and still exist under the same banner, so I don't agree that they need to rename it just because it doesn't support a specific option or feature.


  • Rebel Alliance Global Moderator

    And how would you define split dns?

    There are lots of names for it, etc.. but it boils down to this
    "implementation to provide different sets of DNS information"

    Now in a fancy setup you could do this based upon the source IP of the query, etc.  But if a fqpn on the public internet resolves to 1.2.3.4 and you resolve it to 4.5.6.7 from clients doing queries from your lan - I would by definition call that a split setup.

    I would not call
    -y, –localise-queries
        Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was received. If a name in /etc/hosts has more than one address associated with it, and at least one of those addresses is on the same subnet as the interface to which the query was sent, then return only the address(es) on that subnet. This allows for a server to have multiple addresses in /etc/hosts corresponding to each of its interfaces, and hosts will get the correct address based on which network they are attached to. Currently this facility is limited to IPv4.

    A full featured split like views in bind either if you want to get picky..

    But if you would like to reword the documentation - please grab a wiki account, and have at it ;)  Or if you have something in mind post it here and I will update the wiki.

    How about putting up french versions of the wiki pages - since you were in the french section, have to assume you speak and write french?

    But I am curious to how you would define a split dns and how host over rides do not provide the ability to serve up a different IP then what publicly is resolved for any fqdn?

    edit:  If anything after reading the doc you linked too, it should prob be updated to include mention of using resolver and host over rides as well..  Other than it seems pretty spot on to me for what it was ment to do expain to users how they can resolve their local boxes to their local ips vs using nat reflection and accessing the public IP of box next to them, etc.  I don't think it was meant as a doctoral thesis on split dns ;)



  • @johnpoz:

    And how would you define split dns?

    Capability for DNS server to return different responses (IP addresses) depending on client location.
    Exactly as describes in RFC2775  8)

    3.8 Split DNS

    Another consequence of the Intranet/Internet split is "split DNS" or
      "two faced DNS", where a corporate network serves up partly or
      completely different DNS inside and outside its firewall.

    and this definition is also shared by Microsoft, Bind and some others.
    Wikipedia is not different

    There are lots of names for it, etc.. but it boils down to this
    "implementation to provide different sets of DNS information"

    Now in a fancy setup you could do this based upon the source IP of the query, etc.  But if a fqpn on the public internet resolves to 1.2.3.4 and you resolve it to 4.5.6.7 from clients doing queries from your lan - I would by definition call that a split setup.

    I understand your point and almost agree  ;)
    As I wrote, the override feature provides something close to split-DNS but both dnsmasq and unbound are not designed as authoritative DNS. While trying to answer to your question, I realize that my point is more linked to this aspect than lack of split DNS.

    I would not call
    -y, –localise-queries
        Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was received. If a name in /etc/hosts has more than one address associated with it, and at least one of those addresses is on the same subnet as the interface to which the query was sent, then return only the address(es) on that subnet. This allows for a server to have multiple addresses in /etc/hosts corresponding to each of its interfaces, and hosts will get the correct address based on which network they are attached to. Currently this facility is limited to IPv4.

    much clearer. thank you

    But if you would like to reword the documentation - please grab a wiki account, and have at it ;)  Or if you have something in mind post it here and I will update the wiki.

    Not that I do want to reword it  :-[ but wanted mainly to share with you my understanding and confusion with current wording that I feel (felt) to be slightly misleading.
    No nit-pick intended  :-[

    [quote]How about putting up french versions of the wiki pages - since you were in the french section, have to assume you speak and write french?
    For sure my French is much better than my English  :-[
    I will have a look but I'm afraid I'm too psycho-rigid  ;D

    [quote]But I am curious to how you would define a split dns and how host over rides do not provide the ability to serve up a different IP then what publicly is resolved for any fqdn?

    host override does provide it "one-way", for internal users only. Localise-queries will definitely improve it when deploying DMZ.

    edit:  If anything after reading the doc you linked too, it should prob be updated to include mention of using resolver and host over rides as well..  Other than it seems pretty spot on to me for what it was ment to do expain to users how they can resolve their local boxes to their local ips vs using nat reflection and accessing the public IP of box next to them, etc.  I don't think it was meant as a doctoral thesis on split dns ;)

    Clearer now thanks to your comments. Without authoritative features, implementing real split DNS can't be achieved but overriding should fit in most cases.


  • Rebel Alliance Global Moderator

    "where a corporate network serves up partly or
      completely different DNS inside and outside its firewall."

    That is from the RFC you linked too – so how is it that host over rides does not provide that??  www.mydomain.tld to the world outside my firewall resolves to 1.2.3.4, inside my firewall it resolves to 192.168.1.100 -- this is EXACTLY by definition "split dns" And what host over rides provides.



  • @johnpoz:

    "where a corporate network serves up partly or
      completely different DNS inside and outside its firewall."

    That is from the RFC you linked too – so how is it that host over rides does not provide that??

    …assuming you also maintain outside another DNS. This was my point.
    But this detail aside, you're right. I got your point.

    Clear enough  ;)
    Let's not waste time with this perhaps stupid debate  :-[