[Dnsmasq-discuss] Split DNS guidance needed

Jeff Boyce jboyce at meridianenv.com
Wed Feb 24 17:22:38 GMT 2016 

Greetings –

Issue:

I am hosting an instance of OwnCloud on a company server located within 
our local lan.Internal clients access it by name using 
“cloud.local.lan”.External clients access it by name using 
“cloud.companydomain.com”.One of the features of OwnCloud is being able 
to provide direct links to documents within the OwnCloud server to 
others outside of our company.OwnCloud provides internal clients with a 
link referencing “cloud.local.lan”; however, if this link is provided to 
an external client it will not work because it is referencing our 
internal lan name.Our internal staff can not use our external domain 
name (cloud.companydomain.com) to access the OwnCloud 
server.(Specifically, they receive the pfSense 501 page referencing 
Potential DNS Rebind attack detected.I initially took this issue to the 
pfSense forum, and have been advised that setting up a Split DNS 
configuration would solve my issue.)

My Objective:

I would like to have our internal clients use the external domain name 
(cloud.companydomain.com) to access our OwnCloud instance.Then the 
document links that OwnCloud generates would work for anyone we provide 
them to outside of our company.

My network configuration:

Internet ---> pfSense ---> Switch

|

---> DNSmasq box

|

---> OwnCloud box

pfSense box (192.168.112.11)

External IP xx.yy.zz.18

Network gateway and firewall

1:1 NAT providing 4 public IPs to internal servers

Uses ISP DNS server aa.bb.cc.1

ISP DNS server aa.bb.cc.2

Google DNS server 8.8.8.8

DNSmasq box (192.168.112.51)

DNS and DHCP server for lan

Gives LAN clients

DNS server 192.168.112.51

Default Gateway 192.168.112.11

OwnCloud box (192.168.112.53)

External IP xx.yy.zz.21

companydomain.com

Physical box hosted by outside provider

zone file for companydomain.com

If Split DNS is what I need, then I am assuming that I would have to 
implement it on my DNSmasq server.I am logically thinking that when an 
internal client puts cloud.companydomain.com in a browser, there is a 
way that it can be resolved internally from the DNSmasq box to return 
the OwnCloud login page, rather than needing to go out through the 
gateway to be resolved (which results in the pfSense rebinding attack 
detection).

I have searched the mail archives for some guidance and usually end up 
back at this thread 
https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg09705.html.I 
am unable to implement this solution, as some features are not in my 
version of DNSmasq (specifically host-record).So I am still uncertain 
how to implement something that reaches my goal.My DNSmasq box is CentOS 
6.7 running DNSmasq 2.48-14.el6.The host-record feature is only 
available since 2.64.

I am looking for a simple description for implementing something in 
DNSmasq that addresses my objective listed above, so pointers to other 
how-to’s are appreciated.

I am not sure what additional information anyone might need to assist me 
with this issue, but let me know if anything else is needed.Thanks.

Jeff

-- 

Jeff Boyce
Meridian Environmental
www.meridianenv.com

More information about the Dnsmasq-discuss mailing list