How can you resolve different DNS entries depending on the source subnet?

Question

I have a new internal website going in place in multiple sites and I am looking to resolve the fqdn for it to the site specific subdomain depending on the source subnet used. The way our bind DNS is currently setup is that the fqdn resolution is master in site a and slaved to site b and c (all via puppet), so I cannot setup separate record files in site b and c with different answers to do this.

As an example, I want IPs in site a 172.10.0.0/16 to resolve server.domain.com to server.a.domain.com and IPs in site b 172.11.0.0/16 to resolve server.domain.com to server.b.domain.com etc

I have been looking at Bind RPZ but this doesnt seem to offer specific resolution options for subnets, only the ability to drop or block entire subnets unless I'm reading it wrong. I can get it to work to redirect the cname instead of forwarding to the correct zone for resolution, but then this is applied generally to all servers not using a client IP trigger like I am trying to use and I might as well be updating the CNAME in the domain.com zone.

added to name.d.conf.options

response-policy { zone "rpz"; };

rpz zone file

zone "rpz" {
  type master;
  file "/etc/named/zones/rpz/db.rpz.conf";
  allow-query { none; };
};

dbfile

@       IN    SOA  nstest.domain.com. domain.com.  (
                      2   ; serial
                      3H  ; refresh
                      1H  ; retry
                      1W  ; expiry
                      1H) ; minimum

@        IN    NS    nstest.domain.com. ; destination IP rewrite

16.0.0.16.172.rpz-ip CNAME server.domain.com.
server.domain.com     CNAME   server.a.domain.com.

With these settings all requests to server.domain.com via this ns no matter the source IP resolve to server.a.domain.com

Or is trying to use RPZ the wrong method for this, I've also seen bind views in my research, but that looks like you have to recreate the entire zone file for each site, I'm just wanting to modify a single CNAME record.

Any help appreciated.

Answer 1

• dedicated server for location B

in this case you can easily use RPZ. The solution could be even run this DNS server on non standard port (so other then 53 TCP/UDP) and on firewall level set up port redirection so once the request come from specific network it is redirected to this ports. All the other requests would be handled by the DNS server on standard ports (as "global" RPZ is issue I suppose there is need to have DNS server also for the other traffic).

• "shared" DNS server not only for location B

The Views is the most probably the right direction for you. In case you don't need explicitly CNAME but it can be even A record, you can easily define just "specific subdomain" in the view and for the rest keep "normal" resolving / forwarding to other DNS server".

So let say you have domain example.com on DNS server on location A. There exists server.example.com which is normally resolve as A record to 192.0.2.10. Also there is another record another.example.com resolving to A with value 192.0.2.20.

Then you have somewhere locally (location B) bind server resolving for some local clients. You can create local view for specific client (local IPs on location B) where you can create domain server.example.com.

@       IN    SOA  dns.example.com. admin.example.com.  (
                      2   ; serial
                      3H  ; refresh
                      1H  ; retry
                      1W  ; expiry
                      1H) ; minimum

@        IN    NS    dns.example.com ; destination IP rewrite

@        IN    A     192.0.2.30

Once the client will send request for server.example.com it will be resolved locally as local "master" zone in view. Once the client will request whatever else (except subdomain to server.example.com) it will do regular resolving or forwarding based on other configuration...

So on location A the result will be:

server.example.com => 192.0.2.10
another.example.com => 192.0.2.20

On location B it will be:

server.example.com => 192.0.2.30
another.example.com => 192.0.2.20

This way you can override just explicit list of subdomains. The cons is that as it is extra zone there have to be at least SOA and the most probably NS record so there is not possible to use CNAME in this case.