Split DNS – Cleanest solution for easy maintenance

domain-name-systeminternal-dnssplit-dns

We have split DNS set up for our domain, which causes internal clients to resolve different DNS records from external clients.

As it is right now, the two zones are managed completely separately. For records that differ between internal and external, it's no problem, but for everything else, all of the records have to be duplicated in both places. Most CNAME records, MX records, SPF records, and some A records all need to be entered and maintained in both places.

While this isn't inherently unacceptable, data duplication like this is less than ideal from a design perspective. I feel like ideally, the internal nameserver would simply forward results from the external nameserver, but allow for us to override or add additional records. While it looks like I could use a designated forwarder (like dnsmasq) to do something like this, the flat file configuration would make it difficult to sell the idea to the rest of the team.

Aside from that, the best solution I've been able to come up with consists of PowerDNS with a MySQL backend and web interface. This makes it fairly easy to add a zone and root A record for each sub-domain we'd like to override (e.g. www.example.com), which means other records on the root domain (e.g. example.com) will still be forwarded from the external nameserver.

That still seems like I'm straying kind of far from the norm for something that's supposedly very common, right? Is there a cleaner way to manage Split DNS without maintaining duplicate records? Or is there something I'm missing?

Best Answer

In a network where one of the authoritative nameservers sits on the border of the internal network, I use bind views and the $INCLUDE directive:

mydomain-global.zone:

@ IN SOA ns1 hostmaster ( 12345; 1D; 2M; 1M; 3H )
  IN NS ns1
  IN NS ns2

  IN MX 10 mail

  www               IN A 1.2.3.4
  other-public-host IN A 1.2.3.5

mydomain-internal.zone:

$INCLUDE mydomain-global.zone

an-internal-record IN A   10.20.30.40
_kerberos          IN SRV 0 0 88 dir

The zones are chosen based on view definitions:

view "internal" {
  match-clients { 10.0.0.0/8; };
  zone "mydomain" {
    type master;
    file "mydomain-internal.zone";
  };
  include "named.conf.internalzones";
}

view "global" {
  match-clients { any; };
    zone "mydomain" {
    type master;
    file "mydomain-global.zone";
  };

To be able to assign a record different targets for internal/external queries, add two further zone fragments and $INCLUDE at the bottom of mydomain-(internal|global).zone.

Related Solutions

Overriding some DNS entries in BIND for internal networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

Windows – Split Brain DNS and DNS forwarding

I don't think this is possible, AD.DOMAIN.COM believes it is the authoritative source for this domain and will respond with NXDOMAIN no matter what.
I would really advice you to create a subdomain to put your AD into. As your setup grows this will become a bigger problem and manually adding hosts to both zones doesn't seem like a nice task.

It would be possible to run a Active Directory with a BIND DNS server.
What you could do is merge the zones and allow updates from the AD.DOMAIN.COM server.
However this requires the DOMAIN.COM zone to be a dynamic zone.

Best Answer

Related Solutions

Overriding some DNS entries in BIND for internal networks

Windows – Split Brain DNS and DNS forwarding

Related Topic