Simple way to set up Split DNS

Tom Eastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

2009/06/05


Table of Contents

What is Split DNS
Why would I want to use Split DNS?
Setting up Split DNS

What is Split DNS

Split DNS is simply a configuration in which the IP address to which a DNS name resolves is dependent on the location of the client. It is most often used in a NAT environment to insure that local clients resolve the DNS names of local servers to their RFC 1918 addresses while external clients resolve the same server names to their public counterparts.

Why would I want to use Split DNS?

See Shorewall FAQ 2.

Setting up Split DNS

Setting up Split DNS is extremely simple:

  1. Be sure that your firewall/router can resolve external DNS names.

  2. Install the dnsmasq package (http://www.thekelleys.org.uk/dnsmasq/doc.html) and arrange for it to start at boot time. There are many dnsmasq HOWTOs on the Internet.

  3. Add your local hosts to /etc/hosts on the firewall/router using their local RFC 1918 addresses. Here's an example:

    #
    # hosts         This file describes a number of hostname-to-address
    #               mappings for the TCP/IP subsystem.  It is mostly
    #               used at boot time, when no name servers are running.
    #               On small systems, this file can be used instead of a
    #               "named" name server.
    # Syntax:
    #    
    # IP-Address  Full-Qualified-Hostname  Short-Hostname
    #
    
    127.0.0.1       localhost
    
    # special IPv6 addresses
    ::1             localhost ipv6-localhost ipv6-loopback
    
    fe00::0         ipv6-localnet
    
    ff00::0         ipv6-mcastprefix
    ff02::1         ipv6-allnodes
    ff02::2         ipv6-allrouters
    ff02::3         ipv6-allhosts
    127.0.0.2       ursa.shorewall.net ursa
    172.20.1.1      linksys.shorewall.net     linksys
    192.168.0.1     opensuse.shorewall.net    opensuse
    192.168.0.2     debian.shorewall.net      debian
    192.168.0.3     ubuntu.shorewall.net      ubuntu
    192.168.0.4     fedora.shoreawll.net      fedora
    192.168.0.5     opensuse11.shorewall.net  opensuse11
    192.168.0.6     centos.shorewall.net      centos
    192.168.0.7     debian32.shorewall.net    debian32
    192.168.0.8     fedora9.shorewall.net     fedora9
    206.124.146.254 blarg.shorewall.net       blarg
    
  4. Configure your local network hosts to use the firewall/router as their DNS server. If your local hosts are configured using DHCP, that is a simple one-line change to the DHCP configuration.

And that's it! Your local clients will resolve those names in the firewall/router's /etc/hosts file as defined in that file. All other names will be resolved using the firewall/router's Name Server as defined in /etc/resolv.conf.

Example:

From an Internet Host:

gateway:~ # host linksys.shorewall.net
linksys.shorewall.net has address 206.124.146.180
gateway:~ # 

From ubuntu (192.168.0.3):

teastep@ubuntu:~$ host linksys
linksys.shorewall.net has address 172.20.1.1
teastep@ubuntu:~$