1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

How to do Split DNS with Unbound – sort of

Discussion in 'Asuswrt-Merlin' started by Markster, May 30, 2020.

  1. Markster

    Markster Senior Member

    Joined:
    Jan 29, 2019
    Messages:
    211
    Location:
    Canada
    Split-horizon DNS, split-view DNS, split-brain DNS, or split DNS is the facility of a DNS implementation to provide different sets of DNS information (resolving to different IP address) usually selected by the source address of the DNS request.

    In my particular scenario I have the following set up;
    1. NAS behind the router to host Plex, DS Drive and DS Notes
    2. DDNS with duckdns.org configured on Asus Merlin. This public domain is used to access all NAS services remotely.
    3. Lets Encrypt cert generated on Synology NAS using acme client providing SSL for my custom domain.

    Objective:
    1. Have secure access from all my remote devices to Plex, DS Drive and DS Notes applications.
    2. Have secure access to the same applications using the same DNS name locally.
    3. Have Unbound return DDNS as local IP when I am on my home network and still allow remote public DNS resolution - return public IP.

    In order to accomplish point #3 I added the following lines to my unbound.conf.

    private-address: 192.168.0.0/16
    private-domain: lan


    local-zone: "myhost.duckdns.org" redirect
    local-data: "myhost.duckdns.org A 192.168.1.44"


    This resulted in unbound DNS resolving my myhost.duckdns.org to local IP when I am on my local LAN and still providing remote public IP (DDNS) when I am remote. As you see, since I use DDNS to resolve public domain it is not a true Split-DNS but it does work for my needs. The LE cert works in both scenarios, local and remote.
     
  2. tomsk

    tomsk Very Senior Member

    Joined:
    Sep 3, 2016
    Messages:
    777
    You could try it though making a view.... hopefully this would work

    Code:
    access-control-view: 192.168.0.0/16 "duckdns"
    view:
        name: "duckdns"
        view-first: yes
        local-zone: "myhost.duckdns.org" redirect
        local-data: "myhost.duckdns.org IN A 192.168.1.44"
     
    Markster likes this.
  3. Markster

    Markster Senior Member

    Joined:
    Jan 29, 2019
    Messages:
    211
    Location:
    Canada
    Yes. That will work too. Thanks for additional info. I have not tested that but it looks good.
     
  4. Markster

    Markster Senior Member

    Joined:
    Jan 29, 2019
    Messages:
    211
    Location:
    Canada
    I like the flexibility of creating a view in Unboud but I am getting a syntax errors when I try to create this view.
    I tried local-data: "myhost.duckdns.org. A [IP]" but this did not work either.
     
  5. tomsk

    tomsk Very Senior Member

    Joined:
    Sep 3, 2016
    Messages:
    777
    What syntax error are you getting? I tried pasting in the code and restarted unbound without throwing a syntax error
    I'm using @Martineau unbound manager script which puts views in a separate unbound.conf.views file and has an include statement in the unbound.conf
    Code:
    server:
    include: "/opt/share/unbound/configs/unbound.conf.views"
    If you are pasting directly into the unbound.conf file the text placement may be causing your syntax error

    You will also get a syntax error if you are creating multiple views but put the access-control-view statements between them ie format should be
    Code:
    access-control-view: 192.168.0.0/16 "duckdns"   
    access-control-view: 192.168.0.150/16 "RandomView"
    view:
        name: "duckdns"
        view-first: yes
        local-zone: "myhost.duckdns.org" redirect
        local-data: "myhost.duckdns.org IN A 192.168.1.44"
    view:
        name: "RandomView"
        view-first: yes
        local-zone: "ramdomview.org." refuse
     
    Last edited: May 31, 2020
  6. Markster

    Markster Senior Member

    Joined:
    Jan 29, 2019
    Messages:
    211
    Location:
    Canada
    Than
    Thankx @tomsk . I am not using @Martineau menu to create a view. I'd like to keep things in one file if I can.
    At the end of the unbound.conf I added a section like below and this did not give me any syntax errors, however when I do validate with dig command it returns public IP for the host. BDY, I am still using dnsmasq with unbound. Maybe this is what is causing the view to not work properly. The setup I did in the first post works for me with dnsmasq.

    server:
    access-control-view: 192.168.0.0/16 "duckdns"
    view:
    name: "duckdns"
    view-first: yes
    local-zone: "myhost.duckdns.org" redirect
    local-data: "myhost.duckdns.org IN A 192.168.1.44"
     
  7. tomsk

    tomsk Very Senior Member

    Joined:
    Sep 3, 2016
    Messages:
    777
    Your syntax error was probably because the access-control-view: statement needs to be part of the server: clause. Yes unbound needs to see your clients IP directly for redirection with views to work.. If your clients are querying dnsmasq first then unbound will only see requests from 127.0.0.1. The reason it works with you original setup is that you are basically telling unbound to any redirect any lan client request for that domain on any address to 192.168.1.44. You could get the same effect with unbound just listening to dnsmasq on the loopback from your view by changing the access-control-view statement to

    server:
    access-control-view: 127.0.0.1 "duckdns"
     
    Last edited: May 31, 2020
    Markster likes this.