The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.
https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html
EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.
My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.
Go to where your Bind config files are kept on your system - here it's in /etc/bind
. Create in there a file called db.rpz
with the following contents:
$TTL 60
@ IN SOA localhost. root.localhost. (
2015112501 ; serial
1h ; refresh
30m ; retry
1w ; expiry
30m) ; minimum
IN NS localhost.
localhost A 127.0.0.1
www.some-website.com A 127.0.0.1
www.other-website.com CNAME fake-hostname.com.
What does it do?
- it overrides the IP address for
www.some-website.com
with the fake address 127.0.0.1
, effectively sending all traffic for that site to the loopback address
- it sends traffic for
www.other-website.com
to another site called fake-hostname.com
Anything that could go in a Bind zone file you can use here.
To activate these changes there are a few more steps:
Edit named.conf.local
and add this section:
zone "rpz" {
type master;
file "/etc/bind/db.rpz";
};
The tutorial linked above tells you to add more stuff to zone "rpz" { }
but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.
Edit named.conf.options
and somewhere in the options { }
section add the response-policy
option:
options {
// bunch
// of
// stuff
// please
// ignore
response-policy { zone "rpz"; };
}
Now restart Bind:
service bind9 restart
That's it. The nameserver should begin overriding those records now.
If you need to make changes, just edit db.rpz
, then restart Bind again.
Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local
and make sure there's a logging
section that includes these statements:
logging {
// stuff
// already
// there
channel my_syslog {
syslog daemon;
severity info;
};
category queries { my_syslog; };
};
Restart Bind again and that's it.
Test it on the machine running Bind:
dig @127.0.0.1 www.other-website.com. any
If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1
I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.
It looks to me like the server is pushing the "redirect-gateway" option down to the client. This causes the client to use the VPN as its default gateway. Comment out the line in the server config 'push "redirect-gateway def1"'.
Woah there-- just saw your edit. You client can't be using the same IP addresses as the LAN it's connecting to. That's not going to work. One end or the other needs to use different IP addresses.
Edit:
Assuming routing is configured properly on your Windows Server 2003 machine (per the www.itsatechworld.com page you referenced), you should be able to PING the Windows Server 2003 machine and Windows Vista machine by their LAN IPs via the VPN. If you can, then you've got routing right on the Windows Server 2003 and DD-WRT machines and you can proceed. If not, then you need to start tracking down why either (1) PING traffic coming off the OpenVPN tunnel isn't getting to the destination, or (b) why PING replies from the destination host aren't coming back. You may end up putting something like Wireshark on your Windows Vista machine to see if the PING requests are even getting there (since PING can't tell you if your request is being received and the reply is just being lost).
Once you've got IP connectivity across the VPN working fine. I'd recommend installing the DNS and WINS services on your Windows Server 2003 VPN server computer and configuring the server computer and the Windows Vista home computer to use that machine for WINS and DNS. You can either add your ISP's DNS as a "forwarded" on the Windows Server 2003 machine, or leave the stock "root hints" configured to allow it to resolve Internet names. In your OpenVPN server configuration, add the following line right after the 'push "dhcp-option DNS 192.168.1.1" line:
push "dhcp-option WINS 192.168.1.1"
This is going to get the remote clients taking to the WINS and DNS servers on your Windows Server 2003 machine, and should get you both DNS and NetBIOS name resolution.
If you're not using an Active Directory domain at home, you'll probably want to setup a standard forward lookup zone on the Windows Server 2003 DNS server for your Windows Server 2003 and Windows Vista machines to register into. You'll want to grant clients permission to dynamically update records (albeit insecurely) when you create this zone. You should add the option "DNS domain name" (option 15) to your DHCP scope at home so that your client computers there pick up the right DNS domain name suffix. (If you're using DD-WRT for DNS then I can't tell you how to do that. I'm an OpenWRT guy, and I manage my WRT54G from the command line. I'd recommend running DHCP from the Windows Server 2003 machine anyway, but I just like that DHCP server more.)
If you are using an Active Directory domain you'll already have a forward lookup zone created in DNS. Since your remote VPN clients aren't members of your domain, though, they won't be able to register in DNS under the stock security settings that Windows Server sets on the DNS zone (at least, if you let it create the zone during DCPROMO). It's insecure, but if you want to allow them to register you could either (a - less secure) chang the permission on the zone to allow insecure registrations, or (b - more secure but still insecure) create A and PTR records for them and modify the permission on each of those records to allow anyone to update them.
It sounds like this is a home networking thing, and it's really a good learning opportunity for a lot of things-- IP routing, VPNs, name resolution. Perhaps you're looking for it to "just work" and not as a learning opportunity, in which case I can only offer my apologies and say that these things just aren't "turnkey" yet.
Best Answer
Assuming your ISA server is routing between the subnets, the easiest method is to give the upstream DNS server address(es) to the smaller subnet (either via DHCP or statically), set the ISA as the default gateway for the clients, and let them just query the upstream server directly.
Another alternative is to setup the MS DNS server on the ISA server and have it recurse to the upstream servers (i.e. run a caching DNS server on the ISA box).