[Dnsmasq-discuss] split DNS,
multiple --local entries and secondary DNS
simon at thekelleys.org.uk
Thu May 24 09:50:58 BST 2007
Martijn Brinkers (List) wrote:
> A company has a split DNS ie. they have an internal DNS containing only
> records for private internal domains and an external DNS containing only
> public records. Normally you would have the internal DNS forward unknown
> requests to the external DNS but that's not possible in this situation.
> The problem is that our machine need to lookup internal private domains as
> well as external public domains. It seems this is not possible with the
> default Linux resolvers because when a DNS server reports a negative result
> the secondary DNS is never queried (which is normal).
> The way we solved it is by using the following DNSMasq option:
> -S, --local,
> We can now specify that lookups for an internal domain should go to the
> internal DNS server and lookups for an external domain will go to the
> default external DNS servers.
> This seems to fix the split DNS problem. We only have one problem left.
> There are two internal DNS servers. The primary and the secondary. When the
> primary internal DNS stops answering queries all internal requests should go
> to the secondary internal DNS server.
> What we have tried is to add multiple 'local' options with the same domain
> but with a different <ipaddr> but this seems not to work. Only the first
> entry is used and if the lookup fails it does not try the secondary internal
> DNS server but falls back on the external DNS.
> Can someone help me to get this working? Or is this an impossible request?
It should work, but it's a rare use case on some old and knarly code, so
a bug is certainly possible.
Note that the behaviour for servers with a domain is different to
"domainless" servers: servers with a domain will always attempt to use
servers in the same order, so if the first server is down, there might
be a delay before the second server is used. "domainless" servers have a
system to optimise choosing the first server.
This certainly isn't an impossible request: if it turns out to broken
I'm happy to fix the bug.
> Martijn Brinkers
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
More information about the Dnsmasq-discuss