How to set up split dns horizon on centos 7 with dnsmasq

[ray-ven]

Hello Centos Forum, I'm new to CentOS (a little more experienced with ubuntu-server, clearos and zentyal)

I have an external NIC and 2 internal NICs, and am trying to set up dhcp on both of the internal interaces. So i created a bridge br0 for the internal LAN interface, and hostapd adds the wifi interface to it as well. I can connect via dhcp but cannot access the internet. I can access internet both over LAN and wifi with static IP though.
Static: IP: 10.20.10.2, Netmask 255.255.255.0 Gateway 10.20.10.1, DNS Servers: 213.73.91.3,85.214.20.141. DHCP with Adresses only and added DNS Servers works neither.
I have to add, that I experimented to set up a alias for 10.20.10.1 like mycloud to be able to connect via this hostname which won't work too. I'm using webmin.

I'm using network (not networkmanager)

Enabled Masquerading: iptables -t nat -A POSTROUTING -o EXTERNAL-NIC -j MASQUERADE

my dhcp.conf

Code: Select all

option subnet-mask 255.255.255.0;
option domain-name-servers 213.73.91.3, 85.214.20.141;
ddns-update-style interim;
# LAN
subnet 10.20.10.0 netmask 255.255.255.0 {
	option time-offset -18000;
	range 10.20.10.100 10.20.10.200;
	}

I have to add, that everything (cloud service, libvirt, mysql, openvpn, hostapd ...) works fine, except the networking.

Thanks for helping!

Ray

[ray-ven]

ok, got one thing working... was masquerading 2 interfaces - now only with external interface.

But one problem persists... Still need to set an alias for 10.20.10.1, I want to make internal interfaces use lan connection to 10.20.10.1 when accessing mydomain.com. Should be a little trick only. I know, I can manually add this at the client in /etc/hosts with 10.20.10.1 mydomain.com but can't this be done with dhcp or redirection? In clearos i just had to add alias for 10.20.10.1

Thank you

Ray

[ray-ven]

Maybe I have to ask differently:

Let's say I'm owning xyz.com and it can be accessed from anywhere in the internet perfectly. The thing is, when I'm at the company where xyz.com (accessing the LAN of the company (DHCP)) I want xyz.com to resolve it's LAN IP address, not the WAN IP. How can this be done?!

Please help me out

[TrevorH]

If I understand you correctly then you'll need to use split DNS and set up different views. Then bind will return different answers to the same question based on the IP address that asks the question.

[ray-ven]

Thanks for your reply TrevorH,

split-dns seems to be the correct way of doing it. I've read a few things about it but don't really know how to configure it.
I put 10.20.10.1 blabla.com to /etc/hosts, but still the clients get the wan ip of blabla.com. I'm using dhcpd but not bind or dnsmasq at the moment. Isn't there an easy way to set this up?

Thank you

Ray

[ray-ven]

tried dnsmasq as described below, with no success....
(port 53/udp opened at ipfire)

http://home.swkls.org/dnsmasq-on-centos ... filtering/

resolf.dnsmasq

Code: Select all

nameserver 8.8.8.8
nameserver 8.8.4.4

dnsmasq.conf

Code: Select all

domain-needed
bogus-priv
resolv-file=/etc/resolv.dnsmasq
strict-order
user=dnsmasq
group=dnsmasq
interface=br0
#no-dhcp-interface=eth0
log-facility=/var/log/dnsmasq.log
log-queries
dns-forward-max=150
cache-size=10000
conf-file=/etc/dnsmasq.d/redirect.conf

my blocklist/redirect.conf (which isn't used as a blocklist actually)

Code: Select all

address=/mydomain.com/10.20.10.1

any suggestions?

[jensd]

You need a split horizon DNS for what you want to accomplish.

See this small tutorial which I wrote earlier on how to set up a split horizon DNS with CentOS 7 and Bind.
The tutorial is for a master and a slave but the first part focuses only on the master (what you need): http://jensd.be/?p=160

Just configure only the zones which you want to be resolved different and enable recursion or forward the request to another DNS (for example 8.8.8.8) for all other zones.

Basic DNS-setup can be found here, but I assume that won't be a problem:
http://jensd.be/?p=197

[ray-ven]

Thank you for helping!

Well, bind is a huge riddle to me, and I really want to stay with dnsmasq. Afaik dnsmasq supports this. it's just one address! And if I just add one line to the clients /etc/hosts it works - it can't be that difficult to set this up with dnsmasq! Bind is just way too much!

Any Ideas?

Ray

[wchao]

Split horizon DNS is the best solution, but if you get stumped on that, another option is iptables, like so:

iptables -t nat -A PREROUTING -d 1.2.3.4 -j DNAT --to-destination 10.20.10.1
iptables -t nat -A POSTROUTING -p tcp -m tcp -s 10.20.10.0/24 -d 10.20.10.0/24 -j SNAT --to-source 10.20.10.1

That assumes 1.2.3.4 is the WAN IP of the server. One side effect is all accesses in the server log will show 10.20.10.1 as the client's IP.

Split horizon DNS is a better solution if you can implement it.

[ray-ven]

Thanks for the usefull iptables tipp, still I'd like to do it with dnsmasq - afaik its capable of doing split horizon. Has nobody made any experiences with it?