0

As you can see, the Title is quite a mouthful but i don't exactly know what to call it but what it is..

PC1 (External):PC2 (Local):

IP: 41.1.2.3
DNS: 168.5.5.5


IP: 41.4.4.5
DNS: 168.5.5.5

Restricted DNS:

IP: 168.5.5.5

Unrestricted DNS:

IP: 168.1.1.1

I need PC1 & PC2 to both connect to Restricted DNS Server and have a switch between them without actually changing PC1 or PC2's settings nor are either of them on active directory nor will they be.

So in a sense, Restricted DNS Server will be told that PC1's IP is cool and should use Unrestricted DNS Server (Via Forward or firewall or filter or something???) and if say PC2 (even if it's local) Not cool, keeps it in Restricted DNS Server.

Both Should be able to use it same time, if that makes sense?

*Some short answers

  • Blocking Method via other means (No, it's not intended for blocking like that)
  • Single DNS Server? (Not sure what i want to do is possible this way..)
  • Firewall Rules? (Cool, will likely be part of this to make it work, but how would it interact with the DNS Server?)

*Equipment/OS

  • I have 2 Mikrotiks available
  • I have 2 Windows Servers Available
  • I have Ability to install linux on both.

As long as i can set it up the way i was hoping for, Windows/Linux/Mikrotik which ever works. Thanks.. its quite the headache..

Paul
  • 1

2 Answers2

0

Sounds like you want DNS Views. Google the term "DNS Split Horizon". You should be able to create "Access Control Lists" and then grant access to restricted/unrestricted "views" in a product like Bind on linux.

I use roughly the following on one of our amazon instances:

acl internal {
        172.31.32.0/20;
        127.0.0.1/8;
        localhost;
};
view "amazon-internal-view" {
        match-clients { internal; };
        zone "." IN {
                type hint;
                file "named.ca";
...
};
view "external-view" {
        zone "example.com" IN {
                type master;
                file "zones/example.com.ext";
        };
};
Daniel Widrick
  • 3,418
  • 2
  • 12
  • 26
  • Yes this is what i've been looking for, or at least similair.. however implementing it, is what i am struggling with.. If i had a example on how to setup what i am looking for it would help a lot... – Paul Aug 02 '17 at 13:27
  • I remember there was a post in forum.mikrotik.com with proper Layer 7 filters on how to achieve DNS Split Horizon or Conditional DNS Forwarding. Unfortunately I cannot remember on which thread it was and a quick search didn't show anything useful. You may want to check the MikroTik forum or even better ask there since the regulars will surely remember the relevant thread. – Cha0s Aug 03 '17 at 18:45
  • @Paul Editted with an example from one of our amazon instances. good luck. – Daniel Widrick Aug 03 '17 at 19:56
0

Many pieces of software can do this. I'm not familiar with Mikrotik, but I have used BIND for this on Linux. You can find an overview here.

Windows Server 2016 also has the ability to do it, though I believe the configuration for the particular feature you're looking for is via PowerShell only. Find an overview here.

I have done DNS views on Cisco IOS routers (!) as well, so if you have one of those around, you could use it too. One limitation, however, is that the TTL on all records is set to 10 seconds, with no way to override it, so I would not advise that.

theglossy1
  • 291
  • 2
  • 7