Dnsmasq: one domain, half private, half public

Our internal office network has the same top-level domain as our company online presence, e.g. ourdomain.com.

For the outside world, any public hosts (eg. blog.ourdomain.com, download.ourdomain.com, www.ourdomain.com, etc.) are configured in the DNS of our domain hoster, AWS Route 53.

For the office intranet, we are running a simple dnsmasq for DHCP and DNS (and VPN, but that's another story); name resolution for internal servers and desktop machines (e.g. laptops with DHCP addresses) in the office works fine. The dnsmasq instance is not available to the public.

So far, we tell dnsmasq about our public servers by maintaining a file /etc/hosts.dnsmasq that is included into the main /etc/dnsmasq.conf by a line addn-hosts=/etc/hosts.dnsmasq, is similar to the wellknown /etc/hosts and has the following sample contents:

12.34.56.78    blog
12.34.56.79    download
12.34.56.80    www

We maintain this file manually which is becoming cumbersome. We would like to get rid of it and improve our dnsmasq setup so it does the following:

if dnsmasq has "own" DNS info (e.g. DHCP or static IP address associated with a hostname) for a query from the internal office network, serve that
otherwise, query the public DNS and forward the result back to the asker on the intranet

Q: Is this doable with with dnsmasq ? Does it require a subdomain for the office network ? (which we'd like to avoid, if possible) If so, how ? I have a feeling I must have gone through the dnsmasq docs a hundred times; they're great, but I could just be looking at the solution, not seeing it.

Also: From my understanding, such a setup is different from split-brain DNS as we're not using one name server returning different responses depending on where the query comes from, but use a public and a private name server for the same domain.

Is this a common setup ? If not, is there a canonical way for organizations to configure their DNS when they use the same TLD for both public and private presences ?

Best Answer

Is this a common setup?

I've seen multiple questions on ServerFault asking for a similar setup as you want, so I'm guessing it's a common setup. But since it's not really possible, I would state it's a common setup by administrators who not really understand how DNS works. (Sorry, I do not wish to offend you - nor anyone else on this forum).

I've provided a possible answer to the question where one hosts both the internal DNS server as well as the external DNS server here. However this answer uses BIND as the DNS server, not dnsmasq.

Is it doable (with dnsmasq)?

As stated before, it's not possible to be authoritative for a given zone and forward the query to a different nameserver if you don't have the answer yourself. The answer I provided in the other question is a work-around.

Is there a canonical way for organizations to configure their DNS when they use the same domain for both public and private presences?

I would say they either use a subdomain internally or use split DNS. Records that need to be in both internal and external views will need to be copied in both zones. This can be simplified using automation (e.g. Ansible).

Best Answer

Related Solutions

Top level domain/domain suffix for private network

Most DNS queries for TLDs do not pass through dnsmasq

Related Topic