Merging results from different domain name servers

David Brown · External Since: Nov 25, 2005 Posts: 34

I have a problem with trying to set up some DNS servers (these are for
local DNS serving, and are not publicly accessible). I don't know if it
is possible to do what I want here, and I'd value any advice on how to
do it, or suggestions on what else I could try.

First, here is the "company" network:

router: eth0 connected to internet, with global IP (say, 20.0.0.1)
eth1 connected to internal LAN, IP 10.0.0.1
running dnsmasq for local queries, resolving local names and
caching lookups from ISP's DNS servers.
openvpn server
Incoming port 80 traffic on eth0 forwarded to "http"

http: IP 10.0.0.2
Running apache, with name-based virtual hosting. Everything
addressed to "www.company.com" is forwarded to "www", and
everything addressed to "www2.company.com" forwarded to "www2"

www: IP 10.0.0.3
Web server

www2: IP 10.0.0.4
Another web server

officeclient: IP 10.0.0.5

On a public DNS server, all "*.company.com" addresses resolve to the
global 20.0.0.1

Home network:

homerouter:
global IP 20.0.0.2, lan ip 10.1.0.1
running dnsmasq for local queries, resolving local names and
caching lookups from ISP's DNS servers.
homeserver:
ip 10.1.0.2

homeclient: ip 10.1.0.3
Sometimes running openvpn, connecting to router.company.com

When "officeclient" looks for "www.company.com", the dnsmasq on "router"
resolves it to 10.0.0.3, and "officeclient" gets direct access by web
browser, ssh, nfs, or whatever.

When "homeclient" looks for "www.company.com", the dnsmasq on
"homerouter" passes the query to the ISP's DNS server, which returns
20.0.0.1. Web access will be forwarded by "router" to "http", which
will pass on the request to "www". If "homeclient" tries "ssh
www.company.com", it will actually target "router", which will reject
incoming ssh traffic.

So far, this is exactly what I want, and works fine.

When "homeclient" connects with openvpn to "router", it then has direct
access to the internal servers. "ssh 10.0.0.3" gives "homeclient" ssh
access to "www".

If the openvpn server is configured to push its DNS server to the
client, then "homeclient" will use "router"'s DNS server. Then
"www.company.com" will resolve to 10.0.0.3, and homeclient has direct
access to the "company.com" machines by name. However, attempts to
lookup "homeserver" will fail as "router" does not know about "homeserver".

If the openvpn server does not pass on its DNS server, "homeclient"
cannot access the internal company machines by name - "www.company.com"
will still resolve to 20.0.0.1. However, lookups of "homeserver" will
work fine.

What I would really like is for "homeclient" to use /both/ dns servers
when the vpn is connected. I want "company.com" names to be searched on
"router" (over the vpn), and other names looked up locally on "homerouter".

Is there any way I can get this sort of flexibility? I'm beginning to
think the only way to get close is to put "homeserver" in the hosts file
on "homeclient", and let the vpn server push the DNS server to
"homeclient" when it is connected.

David Schwartz · External Since: Apr 29, 2007 Posts: 57

On Jul 23, 4:25 am, David Brown <da... RemoveThis @westcontrol.removethisbit.com>
wrote:

> What I would really like is for "homeclient" to use /both/ dns servers
> when the vpn is connected. I want "company.com" names to be searched on
> "router" (over the vpn), and other names looked up locally on "homerouter".
>
> Is there any way I can get this sort of flexibility? I'm beginning to
> think the only way to get close is to put "homeserver" in the hosts file
> on "homeclient", and let the vpn server push the DNS server to
> "homeclient" when it is connected.

Set up a nameserver that serves exactly the responses you want. Then
configure the clients to use that nameserver.

DS

Joe Pfeiffer · External Since: Dec 21, 2004 Posts: 94

David Brown <david.RemoveThis@westcontrol.removethisbit.com> writes:
>
> What I would really like is for "homeclient" to use /both/ dns servers
> when the vpn is connected. I want "company.com" names to be searched
> on "router" (over the vpn), and other names looked up locally on
> "homerouter".
>
>
> Is there any way I can get this sort of flexibility? I'm beginning to
> think the only way to get close is to put "homeserver" in the hosts
> file on "homeclient", and let the vpn server push the DNS server to
> "homeclient" when it is connected.

If you're doing what I think you are, dnsmasq can do this. Part of my
home dnsmasq configuration is

server=/vpn/10.8.0.1
server=/0.8.10.in-addr.arpa/10.8.0.1

which says to use nameserver 10.8.0.1 -- which is my openvpn and dnsmasq
server at school -- for lookups in the .vpn domain (that's what I use as
the domain for my VPN -- the fact there is no such TLD works out quite
nicely for me!) and the 0.8.10.in-addr.arpa domain for reverse lookups.

Over at school, I've got similar lines in the configuration sending DNS
searches in the wb.pfeifferfamily.net domain to my home dnsmasq server.
pfeifferfamily.net, meanwhile, is publically accessible and goes off to
my web hosting company.

David Brown · External Since: Nov 25, 2005 Posts: 34

David Schwartz wrote:
> On Jul 23, 4:25 am, David Brown <da....TakeThisOut@westcontrol.removethisbit.com>
> wrote:
>
>> What I would really like is for "homeclient" to use /both/ dns servers
>> when the vpn is connected. I want "company.com" names to be searched on
>> "router" (over the vpn), and other names looked up locally on "homerouter".
>>
>> Is there any way I can get this sort of flexibility? I'm beginning to
>> think the only way to get close is to put "homeserver" in the hosts file
>> on "homeclient", and let the vpn server push the DNS server to
>> "homeclient" when it is connected.
>
> Set up a nameserver that serves exactly the responses you want. Then
> configure the clients to use that nameserver.
>

The trouble is that the nameserver does not know what the client wants,
as it depends on whether the client is connected to the vpn or not.

David Brown · External Since: Nov 25, 2005 Posts: 34

Joe Pfeiffer wrote:
> David Brown <david.TakeThisOut@westcontrol.removethisbit.com> writes:
>> What I would really like is for "homeclient" to use /both/ dns servers
>> when the vpn is connected. I want "company.com" names to be searched
>> on "router" (over the vpn), and other names looked up locally on
>> "homerouter".
>>
>>
>> Is there any way I can get this sort of flexibility? I'm beginning to
>> think the only way to get close is to put "homeserver" in the hosts
>> file on "homeclient", and let the vpn server push the DNS server to
>> "homeclient" when it is connected.
>
> If you're doing what I think you are, dnsmasq can do this. Part of my
> home dnsmasq configuration is
>
> server=/vpn/10.8.0.1
> server=/0.8.10.in-addr.arpa/10.8.0.1
>
> which says to use nameserver 10.8.0.1 -- which is my openvpn and dnsmasq
> server at school -- for lookups in the .vpn domain (that's what I use as
> the domain for my VPN -- the fact there is no such TLD works out quite
> nicely for me!) and the 0.8.10.in-addr.arpa domain for reverse lookups.
>
> Over at school, I've got similar lines in the configuration sending DNS
> searches in the wb.pfeifferfamily.net domain to my home dnsmasq server.
> pfeifferfamily.net, meanwhile, is publically accessible and goes off to
> my web hosting company.

I've certainly thought about something similar. If the home network
were connected (as a network) with the company network by vpn, then
dnsmasq's domain-specific server setting would be the right choice.
However, I want the vpn running only on the client machine (other users
on the home network should not have access to the company network).

I hadn't thought about the need for reverse lookups in the dnsmasq setup
- thanks for including that here.

A possibility would be to run a local dnsmasq server on the client,
triggered to start with the vpn tunnel. The local dnsmasq server would
pass anything to "company.com" through the vpn to the company's dnsmasq
server, and anything else to the upstream dns server (i.e., the home
router). This would also make the solution independent of the home
network, and therefore equally good on a laptop that could be used on
other networks.

Now the question is - does dnsmasq run on windows? (I guess google has
some answers, but perhaps people here have tried it.) I run Linux on
several machines, but I'm not the only one working here, and there are
others running windows on laptops who would be interested in this.

Joe Pfeiffer · External Since: Dec 21, 2004 Posts: 94

David Brown <david RemoveThis @westcontrol.removethisbit.com> writes:
>
> A possibility would be to run a local dnsmasq server on the client,
> triggered to start with the vpn tunnel. The local dnsmasq server
> would pass anything to "company.com" through the vpn to the company's
> dnsmasq server, and anything else to the upstream dns server (i.e.,
> the home router). This would also make the solution independent of
> the home network, and therefore equally good on a laptop that could be
> used on other networks.

This is pretty much what I was doing until very recently -- I only had a
single machine at home on the vpn, and that machine ran dnsmasq. I went
ahead and ran it (with the same config file) whether the vpn was up or
down. The fact that dnsmasq was trying to use the vpn to do some of its
searches when the vpn wasn't up wasn't a problem in practical terms,
since I knew if it was up or down, and I didn't try dns queries on the
vpn when it was down (or I said something impolite and killed the
request when I realized it was taking a long time!).

> Now the question is - does dnsmasq run on windows? (I guess google
> has some answers, but perhaps people here have tried it.) I run Linux
> on several machines, but I'm not the only one working here, and there
> are others running windows on laptops who would be interested in this.

virtualbox? Smile

--
Klingon programs don't have parameters. They have arguments and win
them (Walter Bushell)

David Schwartz · External Since: Apr 29, 2007 Posts: 57

On Jul 24, 12:29 am, David Brown <da....DeleteThis@westcontrol.removethisbit.com>
wrote:

> The trouble is that the nameserver does not know what the client wants,
> as it depends on whether the client is connected to the vpn or not.

It's hard to give a good recommendation without knowing more details
about your situation. But three common solutions are:

1) Have the client use a different nameserver if it's connected to the
VPN.

2) Have the client use its VPN address as the source address for its
DNS queries by making that 'closer' to the nameserver. The nameserver
can then tell what the client wants base on the source address.

3) Have a special "inside" domain that clients connected to the VPN
check first. So "foo" may translate to "foo.example.com" if you're not
on the VPN but "foo.internal.example.com" first if you are.

DS

David Brown · External Since: Jan 07, 2007 Posts: 25

Joe Pfeiffer wrote:
> David Brown <david.TakeThisOut@westcontrol.removethisbit.com> writes:
>> A possibility would be to run a local dnsmasq server on the client,
>> triggered to start with the vpn tunnel. The local dnsmasq server
>> would pass anything to "company.com" through the vpn to the company's
>> dnsmasq server, and anything else to the upstream dns server (i.e.,
>> the home router). This would also make the solution independent of
>> the home network, and therefore equally good on a laptop that could be
>> used on other networks.
>
> This is pretty much what I was doing until very recently -- I only had a
> single machine at home on the vpn, and that machine ran dnsmasq. I went
> ahead and ran it (with the same config file) whether the vpn was up or
> down. The fact that dnsmasq was trying to use the vpn to do some of its
> searches when the vpn wasn't up wasn't a problem in practical terms,
> since I knew if it was up or down, and I didn't try dns queries on the
> vpn when it was down (or I said something impolite and killed the
> request when I realized it was taking a long time!).
>
>> Now the question is - does dnsmasq run on windows? (I guess google
>> has some answers, but perhaps people here have tried it.) I run Linux
>> on several machines, but I'm not the only one working here, and there
>> are others running windows on laptops who would be interested in this.
>
> virtualbox? Smile

VirtualBox is perhaps a little bit overkill here? coLinux would be
lighter, but cygwin would be better (or a mingw compile). I'll have to
look into this later.

David Brown · External Since: Jan 07, 2007 Posts: 25

David Schwartz wrote:
> On Jul 24, 12:29 am, David Brown <da....DeleteThis@westcontrol.removethisbit.com>
> wrote:
>
>> The trouble is that the nameserver does not know what the client wants,
>> as it depends on whether the client is connected to the vpn or not.
>
> It's hard to give a good recommendation without knowing more details
> about your situation. But three common solutions are:
>

I'm trying to be flexible about the details so that I don't impose
restraints that aren't actually necessary. I am also trying to see if I
can find more general solutions or ideas so that I can get things
working nicely for others at our company (for example, it would not be
difficult for me to run a local dnsmasq server on my Linux laptop, but
that would be more of a challenge for others with Windows laptops). But
I'll do my best to give more information if it is useful. And thanks
for your ideas so far.

> 1) Have the client use a different nameserver if it's connected to the
> VPN.
>

Yes, that is sounding like a good idea - with the nameserver running on
the client itself.

> 2) Have the client use its VPN address as the source address for its
> DNS queries by making that 'closer' to the nameserver. The nameserver
> can then tell what the client wants base on the source address.
>

That would work to some extent. If the client uses the company "router"
as the nameserver when the VPN is connected (that's easy to achieve with
openvpn server settings) then it will get the correct addresses for
names in the company.com. But it then would not get the correct
addresses for the local network.

In a sense, the fact that there is a VPN is not really relevant - it's
just a client that sits on two networks, and I'd like to be able to
resolve local addresses on each network using local DNS servers for each
network.

> 3) Have a special "inside" domain that clients connected to the VPN
> check first. So "foo" may translate to "foo.example.com" if you're not
> on the VPN but "foo.internal.example.com" first if you are.
>

Something like that would also be possible. For example, the home
network dns could pass all ".vpn" addresses onto the company dns server,
which could then turn these into local company network addresses. Then
when the home client looks up "www.company.com" it would get the global
address as before, but it could also use "www.vpn" to get the internal
company address - all regardless of whether it was connected by vpn or
not. Of course, any attempts to access "www.vpn" would fail if it were
not connected by vpn at the time.

That's lots of possibilities and ideas. None of them jump out as ideal
as yet - I'm thinking mostly of either using the hosts file on the
client manually, or running dnsmasq locally on the client.

> DS