OpenBSD Journal

Split DNS With DJBDNS on OpenBSD

Contributed by jose on from the quick-docs dept.

Wayne Marshall contributes:
"A "howto" article describing the use of Bernstein's tinydns on OpenBSD, serving both Internet and local network queries from a single host:

http://www.guinix.com/technote/dualdns.html "

Wayne's provided a guide which you can use to quickly set up split view DNS for yourself or your office using OpenBSD. Pretty handy stuff!

(Comments are closed)


Comments
  1. By Matt () on

    Essentially this guy configures tinydns to listen on two different ip addresses and then respond accordingly depending on which IP range the request comes from.

    doesn't the data file already have the ability to look at where a request is coming from and then reply to that request based upon the originating IP? Granted a person would have to edit the data file manually after using the little add-host scripts. Seems like a matter of choose your poison, edit the data file directly or maintain two separate dns servers that contain very similar information.

    from djb's website:

    For versions 1.04 and above: You may include a client location on each line. The line is ignored for clients outside that location. Client locations are specified by % lines:

    %lo:ipprefix

    means that IP addresses starting with ipprefix are in location lo. lo is a sequence of one or two ASCII letters. A client is in only one location; longer prefixes override shorter prefixes. For example,
    %in:192.168
    %ex
    +jupiter.heaven.af.mil:192.168.1.2:::in
    +jupiter.heaven.af.mil:1.2.3.4:::ex

    specifies that jupiter.heaven.af.mil has address 192.168.1.2 for clients in the 192.168.* network and address 1.2.3.4 for everyone else.

    Check out http://cr.yp.to/djbdns/tinydns-data.html
    for the full info.

    Comments
    1. By Wayne Marshall () guinix@yahoo.com on mailto:guinix@yahoo.com

      To be fully operable for all hosts on the network described in the article, a single tinydns instance would then require data entries like the following:

      %ix:192.168.0
      %in:10.0.1
      %ex
      +www.guinix.com:192.168.0.254:::ix
      +www.guinix.com:192.168.0.254:::in
      +www.guinix.com:199.104.115.195:::ex

      I find the separate instances a little cleaner to configure and maintain, but certainly djb gives you this method as well.

      Comments
      1. By Henning () on

        huh???
        no, you just need
        %in:192.168.0
        %in:10.0.1
        %ex
        +www.guinix.com:192.168.0.254:::in
        +www.guinix.com:199.104.115.195:::ex

        the 2 instances setup is much too complicated IMHO...

        Comments
        1. By Matt () on

          Yeah, I think setting up and maintaining two separate servers would be much more work. I asked because I thought I might be missing something (wouldn't be the first time)

        2. By Eduardo Alvarenga () eduardo at thrx dot dyndns dot org on mailto:eduardo at thrx dot dyndns dot org

          I agree with you Henning. My organization have a tinydns server serving for both LAN, WAN and Internet access. With different information for each Network. The 'data' file is about 1MB. And it runs smoothly for about 1 year or more. Just using %in %wn and %ex variables.

          I think I'll never get back to bind. Er... what is Bind ? I remeber to have heard about it around 1993....

  2. By Bye Buy by () on

    While I am running OpenBSD as a dns server (v8 for now), I think split horizion is available in Bind 9. If so, it would be even less effort to accomplish the same.

    Not to start a flame war on preferred dns servers, or anything.

    Comments
    1. By Anonymous Coward () on

      Yes, the in-tree bind9 in -current can do that with 'views', and thanks to Jakob's care, the configuration examples (/var/named/etc/*) make this very easy.

      Comments
      1. By Anonymous Coward () on

        Right, searching google for "split horizion bind" gave info and a link comparing how djbdns and bind did it.

  3. By mirabile () mirabile@bsdcow.net on mailto:mirabile@bsdcow.net

    Cool, I didn't know this 127.53.0.1 trick yet,
    neither the dnscache servers one.

    I've now set up a domain with two NS on DynDNS,
    one of these boxen also serves on IPv6.

    Needless to say they both run OpenBSD.

    Yes I did say IPv6...

  4. By Jim Knoble () jmknoble@pobox.com on http://www.pobox.com/~jmknoble/

    In the article:

    "tinydns-public" external 192.168.0.254
    "tinydns-local" loopback 127.53.0.1
    "dnscache" internal 10.0.1.254

    Note that, if you have a heterogeneous internal network with hosts that run BIND in "slave" mode, you may want (or need) to run axfrdns. In that case, you may want a slightly different configuration:

    "tinydns-public" external 192.168.0.254
    "tinydns-local" internal 10.0.1.253 (udp)
    "axfrdns" internal 10.0.1.253 (tcp)
    "dnscache" internal 10.0.1.254

    This scheme also allows tinydns-local to appear as an authoritative DNS server on the internal network (even without running axfrdns), in case you want multiple redundant internal DNS caches.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]