The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.
https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html
EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.
My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.
Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:
$TTL 60
@ IN SOA localhost. root.localhost. (
2015112501 ; serial
1h ; refresh
30m ; retry
1w ; expiry
30m) ; minimum
IN NS localhost.
localhost A 127.0.0.1
www.some-website.com A 127.0.0.1
www.other-website.com CNAME fake-hostname.com.
What does it do?
- it overrides the IP address for
www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
- it sends traffic for
www.other-website.com to another site called fake-hostname.com
Anything that could go in a Bind zone file you can use here.
To activate these changes there are a few more steps:
Edit named.conf.local and add this section:
zone "rpz" {
type master;
file "/etc/bind/db.rpz";
};
The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.
Edit named.conf.options and somewhere in the options { } section add the response-policy option:
options {
// bunch
// of
// stuff
// please
// ignore
response-policy { zone "rpz"; };
}
Now restart Bind:
service bind9 restart
That's it. The nameserver should begin overriding those records now.
If you need to make changes, just edit db.rpz, then restart Bind again.
Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:
logging {
// stuff
// already
// there
channel my_syslog {
syslog daemon;
severity info;
};
category queries { my_syslog; };
};
Restart Bind again and that's it.
Test it on the machine running Bind:
dig @127.0.0.1 www.other-website.com. any
If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1
I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.
Best Answer
If I understand you correctly, you run separate independent DNS servers, and each set (I really do hope that you have more than one instance per subnet or network location) of servers contains different uncoordinated information. This is unsustainable. I actually inherited something like this a few years back, and it was our largest source of annoyance, bugs, and outages until we tore it out and built a completely new DNS setup.
Instead of maintaining multiple masters responsible for their own zones, create a single master holding all zones, with multiple views. Set up slaves everywhere they would make sense (another one in the same location, more in other physical locations, put them physically and logically close to where your users are). Replicate all views to all slaves, or only some views if you know that some of your slaves won't serve requests from certain networks. Once this is in place, all your servers will have exactly the same data. You'll only have to ensure that your views are defined correctly, and all clients will get exactly the results they need, regardless of the server they use.
A couple of hints on implementation:
Use $INCLUDE in your zone files so that individual view files only have the entries that are different among different views (for example, your ext.example.com will probably resolve to the same IP regardless of the view, so it'll go into the common include file, while example.com will be specific to every view file).
For replication, you may want to give each DNS server several IP addresses - one per view. This is done, because views use client IP address to determine what to serve - and this also includes XFER requests coming from slaves. So, you have to 1) for every slave, add one and only one of its IP addresses into each view; 2) on the slaves, use transfer-source directive in named.conf so that the XFERs originate on the correct IP. Here's the same idea explained in more detail: http://coding.infoconex.com/post/2010/04/26/Bind-DNS-e28093-Configuring-multiple-views-on-primary-and-secondary-DNS-servers.aspx
Also, see if you can get help from your network admins. In some situations, DNS rewrite can make separate views unnecessary.