QUESTION: How to implement Split Horizon DNS with dnsmasq?

Started by Kornelius777, Today at 06:47:42 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 06:47:42 AM
Dear all,

what was pretty easy with ISC, "somehow" doesn't want to fly using dnsmasq.

Using the option "forward first" in unbound appears not to work correctly.
At least, on my side, that option didn't bring any success.

Has anyone been able to implement Split Horizon DNS aka Split Brain DNS so far?
Would you mind sharing your thoughts and ideas with me?

Kind regards,
Today at 08:18:48 AM #1
Quote from: Kornelius777 on Today at 06:47:42 AMwhat was pretty easy with ISC

Since ISC does not do DNS I wonder what exactly it was you implemented? The recursive DNS server that went with ISC DHCP was Unbound so that part should work now just like it did back then?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 08:25:25 AM #2
Of course, it was unbound - and still is.

Nevertheless,
the whole host implementation was done with the help of ISC.
Now, it shall be realized via dnsmasq.

Unbound however appears not to play well with dnsmasq, yet.

Yet again my question:

How would you implement a Split Horizon DNS setup?

Kind regards,
Today at 09:10:16 AM #3
I still fail to see the connection with ISC and/or DNSmasq. Is it about handing different DNS server addresses to clients in different networks? Or about DNS updates from DHCP leases? Or what else?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 12:15:32 PM #4
It's about Split Horizon DNS.

Query "host.domain.tld" from outside and get a different result if you query "host.domain.tld" from inside. Same domain name. Same hostname.

Furthermore:
If "host.domain.tld" is non-existent on the LAN but exists in the outside world:
Resolve it nevertheless - however, forward the query into the internet.

This works nicely (and is well implemented into unbound) if you use ISC.
I do not get it working if I have to use dnsmasq behind unbound (as is proposed for 26.1 onwards).


And once more my request:
How can I implement this using dnsmasq behind unbound?
What is the tweak?
Today at 12:55:47 PM #5
Quote from: Kornelius777 on Today at 12:15:32 PMQuery "host.domain.tld" from outside and get a different result if you query "host.domain.tld" from inside.

Yes, perfectly understood. I don't get in which way the DHCP server - ISC or DNSmasq - plays into that.

Are you using DNSmasq for DNS? That's what I did not get at first. Then the solution is simple: don't. Only use Unbound for DNS like you used to and use DNSmasq strictly for DHCP. Or switch to Kea for that.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 01:02:20 PM #6
Well.
"Don't" doesn't help me answer my question.
Maybe, somebody could explain how this CAN be implemented (as concrete as possible)

Thank you kindly.
Today at 01:02:55 PM #7
Just use only Unbound for DNS - what is wrong with that?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 03:33:02 PM #8
Quote from: Kornelius777 on Today at 12:15:32 PMFurthermore:
If "host.domain.tld" is non-existent on the LAN but exists in the outside world:
Resolve it nevertheless - however, forward the query into the internet.

This works nicely (and is well implemented into unbound) if you use ISC.
I do not get it working if I have to use dnsmasq behind unbound (as is proposed for 26.1 onwards).
Post your old config for the ISC setup and I am sure someone can figure out how to convert it to the new setup :)

Now it's like : "Hey guys, I had this thing working which I am not going to tell you anything about and you guys have to guess the solution that I like to make sure it works again!"

And that's not very motivating for most people...
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 03:39:57 PM #9
Also I still don't get how ISC or DNSmasq can be in any way connected to split DNS.


Old config:

DNS: Unbound
DHCP: ISC

New config:

DNS: Unbound
DHCP: DNSmasq


If he introduced DNSmasq into the DNS resolver chain, I'd still recommend simply not to do that. With Unbound unchanged everything will work exactly as before, won't it?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 04:16:05 PM #10
Quote from: Patrick M. Hausen on Today at 03:39:57 PMWith Unbound unchanged everything will work exactly as before, won't it?
Let's just say he sparked my curiosity and I want to see what the heck he is talking about ;)

IMHO the old setup should have been like this :
- ISC DHCP talking to Unbound for DNS Registration of Hostnames.

And the new setup should be like this according to OPNsense Documentation :
- DNSmasqd does the DNS Registration of Hostnames but all the Clients talk directly to Unbound so you need to tell Unbound about the existence of the DNSmasqd Hostnames DNS Registration Database/Cache.

TL;DR : The same but with a twist! :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions