4

So I looked through BIND and Dnsmasq and unable to figure this out.

I have a few of servers on DigitalOcean, and they are on the same datacenter. I want to be able to use internal IPs to get better intra network pings and (obviously, free private network traffic). Given the following two servers:

Name   Public IP          Private IP
srv1   192.0.2.1          10.10.10.1
srv2   198.51.100.2       10.10.10.2

When digging from external network (say my laptop), I want something like this

account.codingblocks.com. 79    IN  CNAME   srv2.cb.lk.
srv2.cb.lk.               85844 IN  A       198.51.100.2

When digging from inside srv1, I want this instead

account.codingblocks.com. 79    IN  CNAME   srv2.cb.lk.
srv2.cb.lk.               85844 IN  A       10.10.10.2

Is this possible ? If yes, how.

chicks
  • 3,639
  • 10
  • 26
  • 36
Arnav Gupta
  • 151
  • 5

2 Answers2

16

In BIND 9, you can define multiple "views": in effect, BIND shows one version of a DNS zone to specified clients and another version to others. This seems to be exactly what you'll need.

Here is a nice introduction to using views in BIND 9: https://kb.isc.org/article/AA-00851/0/Understanding-views-in-BIND-9-by-example.html

In your case, though, the external view would say:

match-clients { any; };

rather than specifying any network segments.

telcoM
  • 4,153
  • 12
  • 23
2

There are at least 3 solutions :

  • you can use /etc/hosts to override DNS answers
  • you can use a second tld eg account.codingblocks.com would give 222.222.222.222 and account.example.mytld would give 10.10.10.2
  • you can have 2 different DNS servers (one private and internal and the other public) that would give different results.
bgtvfr
  • 1,224
  • 10
  • 19
  • If I add `10.10.10.2 srv2.cb.lk` to my /etc/hosts will the recursive lookup for `account.codingblocks.com` also work ? – Arnav Gupta Dec 27 '17 at 11:49
  • I don't remember (I think the answer is no), but you can try on your laptop. – bgtvfr Dec 27 '17 at 12:04
  • 5
    It's terrible advice, imho. With bind you should use - views – ALex_hha Dec 27 '17 at 13:36
  • as @ALex_hha already stated, this is wrong. Look at the other answer – Diego Roccia Dec 27 '17 at 15:12
  • 2
    imho using private DNS servers for private IP increases security... and bind is not the only dns server – bgtvfr Dec 27 '17 at 15:40
  • I know that bind is not the only dns server, but OP asked about it. Also split horizon supports a lot of other dns servers - https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software#Feature_matrix – ALex_hha Dec 30 '17 at 09:01