The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.
https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html
EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.
My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.
Go to where your Bind config files are kept on your system - here it's in /etc/bind
. Create in there a file called db.rpz
with the following contents:
$TTL 60
@ IN SOA localhost. root.localhost. (
2015112501 ; serial
1h ; refresh
30m ; retry
1w ; expiry
30m) ; minimum
IN NS localhost.
localhost A 127.0.0.1
www.some-website.com A 127.0.0.1
www.other-website.com CNAME fake-hostname.com.
What does it do?
- it overrides the IP address for
www.some-website.com
with the fake address 127.0.0.1
, effectively sending all traffic for that site to the loopback address
- it sends traffic for
www.other-website.com
to another site called fake-hostname.com
Anything that could go in a Bind zone file you can use here.
To activate these changes there are a few more steps:
Edit named.conf.local
and add this section:
zone "rpz" {
type master;
file "/etc/bind/db.rpz";
};
The tutorial linked above tells you to add more stuff to zone "rpz" { }
but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.
Edit named.conf.options
and somewhere in the options { }
section add the response-policy
option:
options {
// bunch
// of
// stuff
// please
// ignore
response-policy { zone "rpz"; };
}
Now restart Bind:
service bind9 restart
That's it. The nameserver should begin overriding those records now.
If you need to make changes, just edit db.rpz
, then restart Bind again.
Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local
and make sure there's a logging
section that includes these statements:
logging {
// stuff
// already
// there
channel my_syslog {
syslog daemon;
severity info;
};
category queries { my_syslog; };
};
Restart Bind again and that's it.
Test it on the machine running Bind:
dig @127.0.0.1 www.other-website.com. any
If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1
I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.
The typical ways to achieve this are:
- split DNS - having different DNS records on an internal DNS server...but the internal DNS server has to have all the records, and requires syncing between the internal and external servers
- delegation - which is creating the svn.example.com zone, and having your example.com DNS servers look to svn.example.com for anything relating to *.svn.example.com (including svn.example.com itself)
One way is to delegate a subdomain like "internal.example.com" to your LAN's DNS servers. On these DNS servers you can configure a zone for internal.example.com (or i.example.com if you want it shorter), and add any records you want.
You may be able to automate the syncing of your internal and public DNS servers to use split DNS, depending on what software you are using on each of them.
A third option would be to just put the internal IP addresses in your public DNS. This may have security implications (someone could use it to trick you to connect to their server if you aren't on your LAN), but should work and is dead simple to setup.
Best Answer
You would need to setup a self hosted DNS server with conditional forwarders. For example a docker image on Ubuntu who runs unbound where you have a forwarder zone for you internal domain and the rest to AWS. But I don't understand why you use route53 in Azure, Azure dns is perfectly capable of public resolving.
You might need to to create a S2S vpn to be able to resolve using route53 from azure
There is also this container image https://github.com/whiteducksoftware/az-dns-forwarder/blob/master/README.md You’ll need to configure an outbound route 53 resolver in aws.
Within azure you will need inbound resolvers configuring.
Then in AWS create route 53 rules for domains you wish to forward to azure to the corresponding inbound resolvers setup in azure.
This will allow you to resolve internal azure dns zones.