Split Horizon DNS

[Slyke]

Hello, I'm attempting to implement Split Horizon DNS. I have the split horizon installed already. My LAN is 10.7.0.0/16, the Technitium DNS server's IP is 10.7.7.77. I want to setup it up such that DNS queries to anysubdomain.my-domain.com from within my LAN resolve to addresses as specified address (under the domain's zone) zone, and if there's no entry in that zone for that specific DNS entry, it gets forwarded to the upstream DNS server. All other queries coming from addresses outside my LAN network should be forwarded to the upstream DNS as well.

I have domain.xyz. Once Technituim DNS is setup I'll tell the registrar to use my public IP address as a NS. Externally Technitium will also give out my public IP address (or something else if needed) when replying to domain.xyz and *.domain.xyz; internally, Technitium will resolve to the various IP addresses I have for different services (Metal-LB). I'll have some API integration (since my public IP can change from time to time), but I'll figure that out later. For now, I'm testing with my-domain.com to see if I can get basic horizon splitting working.

For context, my network is setup as such:

Internet ---> [Modem Router] -(NAT)-> [ext-lan] -(NAT)-> [LAN]

So, queries from the internet & ext-lan should be considered as "outside", since there's a NAT sitting between them and Technitium.

So far, in the Split Horizon app, I have:

{
    "enableAddressTranslation": true,
    "networkGroupMap": {
        "10.7.0.0/16": "lan",
        "192.168.1.0/24": "ext-lan"
    },
    "groups": [
        {
            "name": "lan",
            "enabled": true,
            "translateReverseLookups": true,
            "externalToInternalTranslation": {}
        }
    ]
}

I'm not sure what, or if I even need externalToInternalTranslation, but it errors if this key is removed.

I created a new zone called my-domain.com and created an APP entry for anysubdomain with the following config:

{
  "lan": [
    "10.7.0.25"
  ]
}

Zone details:

• App Name: Split Horizon
• Class Path: SplitHorizon.SimpleAddress
• Record Data: (as shown above).

But when I try to nslookup from my LAN, I get no results:

$ dig @10.7.7.77 anysubdomain.my-domain.com

; <<>> DiG 9.16.1-Ubuntu <<>> @10.7.7.77 anysubdomain.my-domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12545
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;anysubdomain.my-domain.com.    IN      A

;; Query time: 0 msec
;; SERVER: 10.7.7.77#53(10.7.7.77)
;; WHEN: Mon Apr 29 03:02:47 PDT 2024
;; MSG SIZE  rcvd: 55

$ nslookup anysubdomain.my-domain.com 10.7.7.77
Server:         10.7.7.77
Address:        10.7.7.77#53

Non-authoritative answer:
*** Can't find anysubdomain.my-domain.com: No answer

I did find a few other discussions, mainly: #815 but unsure what I'm doing wrong.

[ShreyasZare]

Thanks for asking.

Hello, I'm attempting to implement Split Horizon DNS. I have the split horizon installed already. My LAN is 10.7.0.0/16, the Technitium DNS server's IP is 10.7.7.77. I want to setup it up such that DNS queries to anysubdomain.my-domain.com from within my LAN resolve to addresses as specified address (under the domain's zone) zone, and if there's no entry in that zone for that specific DNS entry, it gets forwarded to the upstream DNS server. All other queries coming from addresses outside my LAN network should be forwarded to the upstream DNS as well.

I have not understood this fully. But if you need to have zone such that it resolves records that you add in it but if there are no records for a query, it should get forwarded to some upstream then you need to use Conditional Forwarder Zone. You can create a forwarder zone for any domain name (you own it or not) and add records to it as required. Anything else gets forwarded to the forwarder specified in FWD records.

I have domain.xyz. Once Technituim DNS is setup I'll tell the registrar to use my public IP address as a NS. Externally Technitium will also give out my public IP address (or something else if needed) when replying to domain.xyz and *.domain.xyz; internally, Technitium will resolve to the various IP addresses I have for different services (Metal-LB). I'll have some API integration (since my public IP can change from time to time), but I'll figure that out later. For now, I'm testing with my-domain.com to see if I can get basic horizon splitting working.

If you want to self host your public domain name and also want it to resolve to your internal IP address then you need to use the Split Horizon app. The app has address translation feature which is of no use for your scenario so you should remove any config from the app's main config section.

You need to use the APP record in your public zone. The APP record when queried returns answer based on the client's IP address. So, your APP record config should look something like this:

{
  "public": [
     "<your-router's-public-ip-address>"
  ],
  "lan": [
    "10.7.0.25"
  ]
}

So the above config for APP record will resolve your public IP when request is received from public IP i.e. Internet but will resolve to the private IP when it comes from "lan" (defined in the app's config under the "networks" node).

[Slyke]

Thanks for the reply, right now when I use Technitium DNS it does not resolve my custom domain. I have modified the Record Data to be:

{
  "lan": [
    "10.7.0.25"
  ],
  "public": [
     "142.251.33.78" // This is google, and just for testing. Will change to my IP once it's working.
  ]
}

I can see that dig works when looking up Google directly with Technitium DNS, but it doesn't work when I use the zone I want to override:

$ dig @10.7.7.77 google.com

; <<>> DiG 9.16.1-Ubuntu <<>> @10.7.7.77 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10194
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             110     IN      A       142.251.33.78

;; Query time: 0 msec
;; SERVER: 10.7.7.77#53(10.7.7.77)
;; WHEN: Mon Apr 29 18:27:09 PDT 2024
;; MSG SIZE  rcvd: 55



$ dig @10.7.7.77 anysubdomain.my-domain.com

; <<>> DiG 9.16.1-Ubuntu <<>> @10.7.7.77 anysubdomain.my-domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26565
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;anysubdomain.my-domain.com.    IN      A

;; AUTHORITY SECTION:
my-domain.com.          900     IN      SOA     test-dns.xyz. hostadmin.my-domain.com. 1 900 300 604800 900

;; Query time: 0 msec
;; SERVER: 10.7.7.77#53(10.7.7.77)
;; WHEN: Mon Apr 29 18:37:39 PDT 2024
;; MSG SIZE  rcvd: 113

I'll figure out the Conditional Forwarding too, once I have it working with the custom domains specified.

I have also modified the Split Horizon app config to be:

{
    "enableAddressTranslation": true,
    "networkGroupMap": {
        "10.7.0.0/16": "lan",
        "192.168.1.0/24": "ext-lan",
        "0.0.0.0/32": "public"
    },
    "groups": [
        {
            "name": "lan",
            "enabled": true,
            "translateReverseLookups": true,
            "externalToInternalTranslation": {}
        }
    ]
}

What do I need to change/do in order to get dig @10.7.7.77 anysubdomain.my-domain.com to return 10.7.0.25 when executing the command from within the lan subnet, and return 142.251.33.78 in public and ext-lan networks?

I've attached some screenshots to better show my configs:

my-domain.com:

All zones:

Split Horizon App:

[ShreyasZare]

The problem is that the APP record uses lan as the custom network but it is not defined in the app's main config. So, either you use 10.7.0.0/16 as the key instead or define the custom network in the main config.

So, either you use the APP config shown below:

{
  "10.7.0.0/16": [
    "10.7.0.25"
  ],
  "public": [
     "142.251.33.78"
  ]
}

OR, you define the custom network in the Split Horizon app's main config as below:

{
    "networks": {
        "lan": [
            "10.7.0.0/16"
        ]
    },
    "enableAddressTranslation": false,
    "networkGroupMap": {
        "10.0.0.0/8": "local1",
        "172.16.0.0/12": "local2",
        "192.168.0.0/16": "local3"
    },
    "groups": [
        {
            "name": "local1",
            "enabled": true,
            "translateReverseLookups": true,
            "externalToInternalTranslation": {
               "1.2.3.4": "10.0.0.4",
               "5.6.7.8": "10.0.0.5"
            }
        },
        {
            "name": "local2",
            "enabled": true,
            "translateReverseLookups": true,
            "externalToInternalTranslation": {
               "1.2.3.4": "172.16.0.4",
               "5.6.7.8": "172.16.0.5"
            }
        },
        {
            "name": "local3",
            "enabled": true,
            "translateReverseLookups": true,
            "externalToInternalTranslation": {
               "1.2.3.4": "192.168.0.4",
               "5.6.7.8": "192.168.0.5"
            }
        }
    ]
}

[Slyke]

Thank you very much! You are correct, I didn't realise the difference between networkGroupMap and network.

I ended up testing both methods you mentioned and they both worked; but settled on using the named network instead of listing subnet blocks in Record Data, so that in the future I can add other networks easily:
Split Horizon App:

{
    "enableAddressTranslation": true,
    "networkGroupMap": {},
    "networks": {
        "lan": [
            "10.7.0.0/16"
        ]
    },
    "groups": []
}

I tested with test.google.com and mail.google.com as a Conditional Forwarder Zone and was able to successfully see the subdomains using the public IP and my own IP:

{
  "lan": [
    "10.7.0.25"
  ],
  "public": [
     "142.251.33.78"
  ]
}

$ dig @10.7.7.77 mail.google.com

; <<>> DiG 9.16.1-Ubuntu <<>> @10.7.7.77 mail.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mail.google.com.               IN      A

;; ANSWER SECTION:
mail.google.com.        176     IN      A       142.251.211.229

;; Query time: 20 msec
;; SERVER: 10.7.7.77#53(10.7.7.77)
;; WHEN: Tue Apr 30 01:03:41 PDT 2024
;; MSG SIZE  rcvd: 60



$ dig @10.7.7.77 test.google.com

; <<>> DiG 9.16.1-Ubuntu <<>> @10.7.7.77 test.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21273
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.google.com.               IN      A

;; ANSWER SECTION:
test.google.com.        3600    IN      A       10.7.0.25

;; Query time: 0 msec
;; SERVER: 10.7.7.77#53(10.7.7.77)
;; WHEN: Tue Apr 30 01:03:47 PDT 2024
;; MSG SIZE  rcvd: 60

[ShreyasZare]

Good to know that you got it working.