<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Simple way to set up Split DNS</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257523"></a>Simple way to set up Split DNS</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2008 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id292634"></a><p>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id257928">What is Split DNS</a></span></dt><dt><span class="section"><a href="#id257944">Why would I want to use Split DNS?</a></span></dt><dt><span class="section"><a href="#id257958">Setting up Split DNS</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id257928"></a>What is Split DNS</h2></div></div></div><p><em class="firstterm">Split DNS</em> is simply a configuration in which the IP address to which a DNS name resolves is dependent on the location of the client. It is most often used in a NAT environment to insure that local clients resolve the DNS names of local servers to their RFC 1918 addresses while external clients resolve the same server names to their public counterparts.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id257944"></a>Why would I want to use Split DNS?</h2></div></div></div><p>See <a class="ulink" href="FAQ.htm#faq2" target="_self">Shorewall FAQ 2</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id257958"></a>Setting up Split DNS</h2></div></div></div><p>Setting up Split DNS is extremely simple:</p><div class="orderedlist"><ol type="1"><li><p>Be sure that your firewall/router can resolve external DNS names.</p></li><li><p>Install the <span class="bold"><strong>dnsmasq</strong></span> package (<a class="ulink" href="http://www.thekelleys.org.uk/dnsmasq/doc.html" target="_self">http://www.thekelleys.org.uk/dnsmasq/doc.htm</a>l) and arrange for it to start at boot time. There are many dnsmasq HOWTOs on the Internet.</p></li><li><p>Add your local hosts to <code class="filename">/etc/hosts</code> on the firewall/router using their local RFC 1918 addresses. Here's an example:</p><pre class="programlisting"># # hosts This file describes a number of hostname-to-address # mappings for the TCP/IP subsystem. It is mostly # used at boot time, when no name servers are running. # On small systems, this file can be used instead of a # "named" name server. # Syntax: # # IP-Address Full-Qualified-Hostname Short-Hostname # 127.0.0.1 localhost # special IPv6 addresses ::1 localhost ipv6-localhost ipv6-loopback fe00::0 ipv6-localnet ff00::0 ipv6-mcastprefix ff02::1 ipv6-allnodes ff02::2 ipv6-allrouters ff02::3 ipv6-allhosts 127.0.0.2 ursa.shorewall.net ursa <span class="bold"><strong>172.20.1.1 linksys.shorewall.net linksys 192.168.0.1 opensuse.shorewall.net opensuse 192.168.0.2 debian.shorewall.net debian 192.168.0.3 ubuntu.shorewall.net ubuntu 192.168.0.4 fedora.shoreawll.net fedora 192.168.0.5 opensuse11.shorewall.net opensuse11 192.168.0.6 centos.shorewall.net centos 192.168.0.7 debian32.shorewall.net debian32 192.168.0.8 fedora9.shorewall.net fedora9</strong></span> 206.124.146.254 blarg.shorewall.net blarg </pre></li><li><p>Configure your local network hosts to use the firewall/router as their DNS server. If your local hosts are configured using DHCP, that is a simple one-line change to the DHCP configuration.</p></li></ol></div><p><span class="bold"><strong>And that's it!</strong></span> Your local clients will resolve those names in the firewall/router's <code class="filename">/etc/hosts</code> file as defined in that file. All other names will be resolved using the firewall/router's Name Server as defined in <code class="filename">/etc/resolv.conf</code>.</p><p>Example:</p><p>From an Internet Host:</p><pre class="programlisting">gateway:~ # host linksys.shorewall.net linksys.shorewall.net has address 206.124.146.180 gateway:~ # </pre><p>From ubuntu (192.168.0.3):</p><pre class="programlisting">teastep@ubuntu:~$ host linksys linksys.shorewall.net has address 172.20.1.1 teastep@ubuntu:~$ </pre></div></div></body></html>