How to do Split DNS with Unbound – sort of

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Markster

Senior Member
Split-horizon DNS, split-view DNS, split-brain DNS, or split DNS is the facility of a DNS implementation to provide different sets of DNS information (resolving to different IP address) usually selected by the source address of the DNS request.

In my particular scenario I have the following set up;
1. NAS behind the router to host Plex, DS Drive and DS Notes
2. DDNS with duckdns.org configured on Asus Merlin. This public domain is used to access all NAS services remotely.
3. Lets Encrypt cert generated on Synology NAS using acme client providing SSL for my custom domain.

Objective:
1. Have secure access from all my remote devices to Plex, DS Drive and DS Notes applications.
2. Have secure access to the same applications using the same DNS name locally.
3. Have Unbound return DDNS as local IP when I am on my home network and still allow remote public DNS resolution - return public IP.

In order to accomplish point #3 I added the following lines to my unbound.conf.

private-address: 192.168.0.0/16
private-domain: lan


local-zone: "myhost.duckdns.org" redirect
local-data: "myhost.duckdns.org A 192.168.1.44"


This resulted in unbound DNS resolving my myhost.duckdns.org to local IP when I am on my local LAN and still providing remote public IP (DDNS) when I am remote. As you see, since I use DDNS to resolve public domain it is not a true Split-DNS but it does work for my needs. The LE cert works in both scenarios, local and remote.
 

tomsk

Very Senior Member
Split-horizon DNS, split-view DNS, split-brain DNS, or split DNS is the facility of a DNS implementation to provide different sets of DNS information (resolving to different IP address) usually selected by the source address of the DNS request.

In my particular scenario I have the following set up;
1. NAS behind the router to host Plex, DS Drive and DS Notes
2. DDNS with duckdns.org configured on Asus Merlin. This public domain is used to access all NAS services remotely.
3. Lets Encrypt cert generated on Synology NAS using acme client providing SSL for my custom domain.

Objective:
1. Have secure access from all my remote devices to Plex, DS Drive and DS Notes applications.
2. Have secure access to the same applications using the same DNS name locally.
3. Have Unbound return DDNS as local IP when I am on my home network and still allow remote public DNS resolution - return public IP.

In order to accomplish point #3 I added the following lines to my unbound.conf.

private-address: 192.168.0.0/16
private-domain: lan


local-zone: "myhost.duckdns.org" redirect
local-data: "myhost.duckdns.org A 192.168.1.44"


This resulted in unbound DNS resolving my myhost.duckdns.org to local IP when I am on my local LAN and still providing remote public IP (DDNS) when I am remote. As you see, since I use DDNS to resolve public domain it is not a true Split-DNS but it does work for my needs. The LE cert works in both scenarios, local and remote.
You could try it though making a view.... hopefully this would work

Code:
access-control-view: 192.168.0.0/16 "duckdns"
view:
    name: "duckdns"
    view-first: yes
    local-zone: "myhost.duckdns.org" redirect
    local-data: "myhost.duckdns.org IN A 192.168.1.44"
 

Markster

Senior Member
You could try it though making a view.... hopefully this would work

Code:
access-control-view: 192.168.0.0/16 "duckdns"
view:
    name: "duckdns"
    view-first: yes
    local-zone: "myhost.duckdns.org" redirect
    local-data: "myhost.duckdns.org IN A 192.168.1.44"

Yes. That will work too. Thanks for additional info. I have not tested that but it looks good.
 

Markster

Senior Member
You could try it though making a view.... hopefully this would work

Code:
access-control-view: 192.168.0.0/16 "duckdns"
view:
    name: "duckdns"
    view-first: yes
    local-zone: "myhost.duckdns.org" redirect
    local-data: "myhost.duckdns.org IN A 192.168.1.44"

I like the flexibility of creating a view in Unboud but I am getting a syntax errors when I try to create this view.
I tried local-data: "myhost.duckdns.org. A [IP]" but this did not work either.
 

tomsk

Very Senior Member
I like the flexibility of creating a view in Unboud but I am getting a syntax errors when I try to create this view.
I tried local-data: "myhost.duckdns.org. A [IP]" but this did not work either.
What syntax error are you getting? I tried pasting in the code and restarted unbound without throwing a syntax error
I'm using @Martineau unbound manager script which puts views in a separate unbound.conf.views file and has an include statement in the unbound.conf
Code:
server:
include: "/opt/share/unbound/configs/unbound.conf.views"

If you are pasting directly into the unbound.conf file the text placement may be causing your syntax error

You will also get a syntax error if you are creating multiple views but put the access-control-view statements between them ie format should be
Code:
access-control-view: 192.168.0.0/16 "duckdns"   
access-control-view: 192.168.0.150/16 "RandomView"
view:
    name: "duckdns"
    view-first: yes
    local-zone: "myhost.duckdns.org" redirect
    local-data: "myhost.duckdns.org IN A 192.168.1.44"
view:
    name: "RandomView"
    view-first: yes
    local-zone: "ramdomview.org." refuse
 
Last edited:

Markster

Senior Member
Than
What syntax error are you getting? I tried pasting in the code and restarted unbound without throwing a syntax error
I'm using @Martineau unbound manager script which puts views in a separate unbound.conf.views file and has an include statement in the unbound.conf
Code:
server:
include: "/opt/share/unbound/configs/unbound.conf.views"

If you are pasting directly into the unbound.conf file the text placement may be causing your syntax error

You will also get a syntax error if you are creating multiple views but put the access-control-view statements between them ie format should be
Code:
access-control-view: 192.168.0.0/16 "duckdns"  
access-control-view: 192.168.0.150/16 "RandomView"
view:
    name: "duckdns"
    view-first: yes
    local-zone: "myhost.duckdns.org" redirect
    local-data: "myhost.duckdns.org IN A 192.168.1.44"
view:
    name: "RandomView"
    view-first: yes
    local-zone: "ramdomview.org." refuse

Thankx @tomsk . I am not using @Martineau menu to create a view. I'd like to keep things in one file if I can.
At the end of the unbound.conf I added a section like below and this did not give me any syntax errors, however when I do validate with dig command it returns public IP for the host. BDY, I am still using dnsmasq with unbound. Maybe this is what is causing the view to not work properly. The setup I did in the first post works for me with dnsmasq.

server:
access-control-view: 192.168.0.0/16 "duckdns"
view:
name: "duckdns"
view-first: yes
local-zone: "myhost.duckdns.org" redirect
local-data: "myhost.duckdns.org IN A 192.168.1.44"
 

tomsk

Very Senior Member
Maybe this is what is causing the view to not work properly. The setup I did in the first post works for me with dnsmasq.
Your syntax error was probably because the access-control-view: statement needs to be part of the server: clause. Yes unbound needs to see your clients IP directly for redirection with views to work.. If your clients are querying dnsmasq first then unbound will only see requests from 127.0.0.1. The reason it works with you original setup is that you are basically telling unbound to any redirect any lan client request for that domain on any address to 192.168.1.44. You could get the same effect with unbound just listening to dnsmasq on the loopback from your view by changing the access-control-view statement to

server:
access-control-view: 127.0.0.1 "duckdns"
 
Last edited:

grid

New Around Here
Hi Guys,

Sorry for the noob question. New to amtm and currently have diversion, skynet and unbound manager installed.
I have the same setup as the original post and trying to get the subdomain resolving to the local IP when I'm home, eventually over VPN.

I've added the config below but I'm getting syntax error:

server:
access-control-view: 192.168.0.0/24 "mydomain"
view:
name: "mydomain"
view-first: yes
local-zone: "home.mydomain.com" redirect
local-data: "home.mydomain.com IN A 192.168.0.61"

Any suggestions?
Thanks
 
Last edited:

Markster

Senior Member
In my example I have a bridged modem (no double NAT) setup and Plex running on my NAS drive.
I wanted to have remote access to Plex server, but when at home I wanted the same host name to resolve to local IP. To accomplish that I had to make the following entry in unbound.conf

private-domain: "home.lan"
local-zone: "hostname.duckdns.org" redirect
local-data: "hostname.duckdns.org A 192.168.50.195"

I also had to configure DDNS service on the router.
 

grid

New Around Here
Thanks.. I was going to try updating my config but seems I've killed my 32 GB Samsung USB stick
Started over with a Kingston 16GB, after setting up the 2GB swap, it seems to be dead too. ASUS UI shows no USB :/
Tried formatting it again and got "No compatible plugged in USB storage device(s) found to format"
Should I perhaps be using a USB hard drive? A bit scared of plugging in another device in.
 

Markster

Senior Member
How did you format the USB? You should login to router, select Administration->System and check
"Format JFFS partition on next boot". Then reboot your router.
Screen Shot 2021-02-13 at 8.38.48 AM.jpg
 

grid

New Around Here
Formatted initially on a linux machine to ext4, and the router detected it and I just had to create the swap file.
Second time around I formatted using amtm. Seems I'm not the only one that's experienced this though

Under Administration -> System
I already had 'Enable JFFS custom scripts and configs selected', also USB mode 3.0 and USB hibernation off.

I'm also using your suggestion: (right under the server: section?)

private-domain: "home.lan"
local-zone: "hostname.duckdns.org" redirect
local-data: "hostname.duckdns.org A 192.168.50.195"

Not getting any errors but it doesn't seem to be resolving. I have an A record with the subdomain pointing to my public IP (not static but hasn't changed since I moved here)
Outside my network, I can reach my internal website (port forwarding 80/443), inside my network, the subnet doesn't resolve, I'm assuming home.lan is whatever shows up on my windows "Connection-specific DNS Suffix" ?
 

Markster

Senior Member
Formatted initially on a linux machine to ext4, and the router detected it and I just had to create the swap file.
Second time around I formatted using amtm. Seems I'm not the only one that's experienced this though

Under Administration -> System
I already had 'Enable JFFS custom scripts and configs selected', also USB mode 3.0 and USB hibernation off.

I'm also using your suggestion: (right under the server: section?)

private-domain: "home.lan"
local-zone: "hostname.duckdns.org" redirect
local-data: "hostname.duckdns.org A 192.168.50.195"

Not getting any errors but it doesn't seem to be resolving. I have an A record with the subdomain pointing to my public IP (not static but hasn't changed since I moved here)
Outside my network, I can reach my internal website (port forwarding 80/443), inside my network, the subnet doesn't resolve, I'm assuming home.lan is whatever shows up on my windows "Connection-specific DNS Suffix" ?
The entries are just below private-addresses declaration. home.lan is my local network domain as configured under LAN section on the router.

This entry direct Unbound DNS to resolve my [hostname].duckdns.org to a local IP address.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top