Split-horizon DNS

Also known as split-view DNS, split DNS or DNS multi-view.

The Main Objective of Split-horizon DNS:

To use different EXTERNAL and INTERNAL files to differ request originating from Internet and local net.Make sure you use BIND9 or newer to support Split-horizon DNS.

Split-horizon DNS

Split-horizon DNS

The key moment in Split-horizon DNS:

As you can see on the setup above the external xfer is done by a different IP address on the secondary DNS server which allows Primary DNS server to differ the INTERNAL and EXTERNAL files.So to the basic you have to have two DNS files on the primary DNS server and let’s say you named them external.mydomain and internal.mydomain.The external.mydomain will contain only external IP addresses and internal.mydomain will contain only internal IP addresses.

Configuration examples for Split-horizon DNS:

Lets see first some Split-horizon DNS files for this example.Which will help to understand more completely this process.This setup is tested under CentOS 5 , but should be the same or similar on other distributions.

This is a file configuration used for external views(queries):

$ttl 38400
mydomain.com. IN SOA ns1.mydomain.com. postmaster.mydomain.com.

00 (Serial Number)

mydomain.com. IN NS ns1.mydomain.com.
mydomain.com. IN NS ns2.mydomain.com.

ns1.mydomain.com. IN A EXTERNAL IP
ns2.mydomain.com. IN A EXTERNAL IP

mail.mydomain.com. IN A EXTERNAL IP
mydomain.com. IN MX 10 mail.mydomain.com.

www.mydomain.com IN A EXTERNAL IP

And this file configuration is used for internal views(queries):

$ttl 38400
mydomain.com. IN SOA ns1.mydomain.com. postmaster.mydomain.com.

 00 (Serial Number)

mydomain.com. IN NS ns1.mydomain.com.
mydomain.com. IN NS ns2.mydomain.com.

ns1.mydomain.com. IN A INTERNAL IP
ns2.mydomain.com. IN A INTERNAL IP

mail.mydomain.com. IN A INTERNAL IP
mydomain.com. IN MX 10 mail.mydomain.com.

www.mydomain.com IN A INTERNAL IP

Now comes the key moment to setup up the /etc/named.conf file so that is distinguishes the INTERNAL from EXTERNAL views.

PRIMARY DNS named.conf

#This ACL is to allow only local networks to see the internal files.
acl internals { 192.168.0.0/16; 10.0.0.0/8; localhost; 172.16.0.0/16;};

#This ACL is to allow the ip address on the secondary DNS to transfer external files.
acl “external_slave” { 172.16.0.154; };

options {
directory                 “/var/named”;
dump-file               “data/cache_dump.db”;
statistics-file         “data/named_stats.txt”;
memstatistics-file      “data/named_mem_stats.txt”;
listen-on { any; };
version “hidden”;
auth-nxdomain no;
};

logging {

channel default_file { file “log/default.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel general_file { file “log/general.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel database_file { file “log/database.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel security_file { file “log/security.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel config_file { file “log/config.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel resolver_file { file “log/resolver.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-in_file { file “log/xfer-in.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-out_file { file “log/xfer-out.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel notify_file { file “log/notify.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel client_file { file “log/client.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel unmatched_file { file “log/unmatched.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel queries_file { file “log/queries.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel network_file { file “log/network.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel update_file { file “log/update.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel dispatch_file { file “log/dispatch.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel dnssec_file { file “log/dnssec.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel lame-servers_file { file “log/lame-servers.log” versions 3 size 5m; severity dynamic; print-time yes; };

category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };

};

#This is the internal view configuration you will need the !external_slave to disallow 1.1.1.3 read the internal view.

view “internal” {
match-clients { !external_slave; internals; };
allow-recursion { any; };
zone “.” {
type hint;
file “named.ca”;
};

zone “mydomain.com” {
type master;
file “internal.mydomain.com”;
also-notify {1.1.1.2;};
allow-transfer { 1.1.1.2; };
};
#This is the external view configuration you will need the !internals to disallow 1.1.1.2 read the external view.

view “external” {
match-clients { external_slave; !internals; any; };
recursion no;

zone “mydomain.com” {
type master;
file “external.mydomain.com”;
also-notify {1.1.1.3;};
allow-transfer { 1.1.1.3; };
};

SECONDARY DNS named.conf

 #This is to allow only internal clients
acl internals { 192.168.0.0/16; 10.0.0.0/8; localhost; 172.16.0.0/16;};

options {
directory                 “/var/named”;
dump-file               “data/cache_dump.db”;
statistics-file         “data/named_stats.txt”;
memstatistics-file      “data/named_mem_stats.txt”;
auth-nxdomain no;
listen-on { any; };
version “hidden”;
};

logging {

channel default_file { file “log/default.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel general_file { file “log/general.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel database_file { file “log/database.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel security_file { file “log/security.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel config_file { file “log/config.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel resolver_file { file “log/resolver.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-in_file { file “log/xfer-in.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-out_file { file “log/xfer-out.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel notify_file { file “log/notify.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel client_file { file “log/client.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel unmatched_file { file “log/unmatched.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel queries_file { file “log/queries.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel network_file { file “log/network.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel update_file { file “log/update.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel dispatch_file { file “log/dispatch.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel dnssec_file { file “log/dnssec.log” versions 3 size 5m; severity dynamic; print-time yes; };
channel lame-servers_file { file “log/lame-servers.log” versions 3 size 5m; severity dynamic; print-time yes; };

category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };

};

#This is the INTERNAL view of Split-horizon DNS

view “internal” {
match-clients { internals; }; # Allow only internal clients
transfer-source 1.1.1.2 ; # You need to set the source ip address for the internal files xfer.
allow-recursion { any; };

zone “.” {
type hint;
file “named.ca”;
};

zone “mydomain.com” {
type slave;
file “slaves/internal.mydomain.com”;
masters { 1.1.1.1; }; # Your primary Split-horizon DNS server
allow-notify { 1.1.1.1; };# Your primary Split-Horizon DNS server
};

#This is the EXTERNAL view of Split-horizon DNS

view “external” {
match-clients { !internals; any; }; # Disallow internal clients and allow all others
transfer-source 1.1.1.3 ; # Set your source for the external files xfer.
recursion no;

zone “mydomain.com” {
type slave;
file “slaves/external.ehif.eu”;
masters { 1.1.1.1; };# Your primary Split-horizon DNS server
allow-notify { 1.1.1.1; };# Your primary Split-horizon DNS server
};

Done and done with Split-horizon DNS, /etc/init.d/named reload on bought servers and check that slave created the files on /var/named/salves/.

Hope this helped!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>