3

Our internal office network has the same top-level domain as our company online presence, e.g. ourdomain.com.

For the outside world, any public hosts (eg. blog.ourdomain.com, download.ourdomain.com, www.ourdomain.com, etc.) are configured in the DNS of our domain hoster, AWS Route 53.

For the office intranet, we are running a simple dnsmasq for DHCP and DNS (and VPN, but that's another story); name resolution for internal servers and desktop machines (e.g. laptops with DHCP addresses) in the office works fine. The dnsmasq instance is not available to the public.

So far, we tell dnsmasq about our public servers by maintaining a file /etc/hosts.dnsmasq that is included into the main /etc/dnsmasq.conf by a line addn-hosts=/etc/hosts.dnsmasq, is similar to the wellknown /etc/hosts and has the following sample contents:

12.34.56.78    blog
12.34.56.79    download
12.34.56.80    www

We maintain this file manually which is becoming cumbersome. We would like to get rid of it and improve our dnsmasq setup so it does the following:

  1. if dnsmasq has "own" DNS info (e.g. DHCP or static IP address associated with a hostname) for a query from the internal office network, serve that
  2. otherwise, query the public DNS and forward the result back to the asker on the intranet

Q: Is this doable with with dnsmasq ? Does it require a subdomain for the office network ? (which we'd like to avoid, if possible) If so, how ? I have a feeling I must have gone through the dnsmasq docs a hundred times; they're great, but I could just be looking at the solution, not seeing it.

Also: From my understanding, such a setup is different from split-brain DNS as we're not using one name server returning different responses depending on where the query comes from, but use a public and a private name server for the same domain.

Is this a common setup ? If not, is there a canonical way for organizations to configure their DNS when they use the same TLD for both public and private presences ?

ssc
  • 1,129
  • 3
  • 16
  • 30

2 Answers2

3

Is this a common setup?

I've seen multiple questions on ServerFault asking for a similar setup as you want, so I'm guessing it's a common setup. But since it's not really possible, I would state it's a common setup by administrators who not really understand how DNS works. (Sorry, I do not wish to offend you - nor anyone else on this forum).

I've provided a possible answer to the question where one hosts both the internal DNS server as well as the external DNS server here. However this answer uses BIND as the DNS server, not dnsmasq.

Is it doable (with dnsmasq)?

As stated before, it's not possible to be authoritative for a given zone and forward the query to a different nameserver if you don't have the answer yourself. The answer I provided in the other question is a work-around.

Is there a canonical way for organizations to configure their DNS when they use the same domain for both public and private presences?

I would say they either use a subdomain internally or use split DNS. Records that need to be in both internal and external views will need to be copied in both zones. This can be simplified using automation (e.g. Ansible).

Tommiie
  • 5,547
  • 2
  • 11
  • 45
0

I'm not sure if this was possible when this question was asked originally. However, this still seems to be a commonly asked question, it seems to be answered nowhere and dnsmasq can perfectly do this! It is even the default in some way.

Just have a look at this minimal configuration:

domain=example.com

listen-address=192.168.120.1
interface=eth0
dhcp-range=192.168.120.10,192.168.120.20,12h

If you have a local host hostA in /etc/hosts, a DHCP client with name hostB and a server hostC which is not known to dnsmasq, but to its upstream servers, then all servers will resolve properly: hostA and hostB resolve locally, dnsmasq asks upstream for hostC which will then also resolve.

This is perfect for a small split DNS setup in home networks: Just let dnsmasq manage your in-network only hosts and add hosts which should also resolve externally to your globally reachable dns.

Note that most guides add a local=/example.com/ configuration. This is what actually prevents dnsmasq from asking upstream servers for this domain. So in this case, you do not want to use this option.

You can also configure this in OpenWRT. Just keep the Local Server field empty.

jpf
  • 101