Dnmasq with public domain, split dns

Let's just describe what split horizon dns means. It means when internal clients ask for a name they get one response, and when external clients ask they get another.

If you set that up, everything will work. You can do it using the hosts file... For such a small setup.

That is what my setup is trying to accomplish and it works.

It should also work if you just put the names into the host file on the router. I don't understand what the rest of your setup is for.

This also overwrites the "real" hostname of an host.
When doing an nslookup or viewing connections it shows the wrong hostname.

@lleachii
Did you do the nslookup?
Then you will notice that the public ipv6 is not registered in dnsmasq dns.
Only the ULA ipv6 is registered.
To change that, line 421-422 and 424-425 needs to be removed from dnsmasq init script.

No, it doesn't. It will list all the private ones. If I add my domain suffix it will though.

root@magiatiko:~# nslookup magiatiko
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      magiatiko
Address 1: 172.30.30.1
Address 2: 10.0.2.1
Address 3: 172.17.17.1
Address 4: fd00:bbbb:0:30:15:6dff:fec3:30b9
Address 5: fd00:bbbb::1
root@magiatiko:~# nslookup magiatiko.example.com
Server:         127.0.0.1
Address:        127.0.0.1#53

*** Can't find magiatiko.example.com: No answer  <---- there is no IPv4, not an issue
Name:      magiatiko.example.com
Address 1: 2001:aaaa:bbbb:cccc::1 

No, I went to bed.

• When I nslookup on the router, I get the private IPv4 address of all interfaces with DHCP running - I have public and private IPv4s on other interfaces too, they do not appear (I note this for a reason).
  • BTW, my IPv6 addresses are stateless and random on these interfaces (I note that for a reason also)
• When I nslookup the router name on a client in LAN, I again get the private IPv4 address of all interfaces with DHCP running
• When I lookup a hostname I declared in the OpenWrt, I get what I configured
• When I look up a client hostname of a client with a DHCP assigned IP, I get the IPv4 issued to it - I do not get IPv6 addresses
  • again my IPv6 clients are stateless and random - no DHCPv6
• If I lookup a server by its global hostname, I get the IPv4 and IPv6 records derived from its Global Authoritative Nameserver
  • the IPv4 is one of the Public IPs assigned; or on an IP for relevant ports NATed to it (the latter, obviously the scenario of a user with a single WAN IP)
  • the IPv6 is the statically assigned IPv6 address of the same server (this IP changes depending on the hostname, service and the true server in LAN)
• Also, I should note, I declare no "lookup domain" to the dnsmasq, or I technically declare - ROOT Zone...depending on how you think of it

If I nslookup servers on my VLAN not running DHCP:

• NXDOMAIN on server hostname, if not identical to its global
  • if global, then (as above) I receive an answer derived from its Authoritative Nameserver
• if I lookup the config domain in OpenWrt, I get the result I configured (I rarely make such a config)
• of course, I need no such records on the VLAN of public IPs, their forward and reverse records - and IP are identical; the global record needs no poisoning

Imagine that, I refrain from all such router configs you making - for the exact same reason.

In a split horizon, the real hostname is the global record; but somehow your local records control that or cross this plane, and you can't clearly explain why this is so...nor the purpose for this configuration - yet desiring a "split".

Your method clearly breaks the "split" in Split Horizon DNS.

• You see why I noted it now...
• and why you must to "hard assign"/"hard link" a AAAA record to the static Public IP for any desired service?

This thread now seems to be more how you misconfigured DDNS to your LAN...and want to make the Local and Global Zone identical (but in names only )...hence no Split horizon DNS???

And to reiterate...I get whatever I configure, that would include a local IPv4, if needed.

And yes, LuCI shows my local IPv6 addresses (e.g. in Wireless Associations).

It means different sets or sources of information too. For example, things not covered under your definition:

• different DNS server infrastructure derives the same answer altogether (e.g. enterprise DNS inside an Autonomous System, separate from their global records)
  • hense, could have a different keyset (that part would be different "response" I suppose)
• privately replicating to a global zone server - which will give answers to global queriers, I thought this is what the OP was somehow doing, without BIND and over DDNS (could be done inclusive of point a) - the global NSes are just slaves of a real private, unlisted master (this could be inclusive of different sets of information, since I suppose the NS and SOA could differ)
• a public user who zone transfers to servers with open access - the records of their private resolver for use with all lookups
  • e.g. a university campus transfers the zone in-whole to hardened responders; or
• vice versa - a private user who transfers to private servers with closed access and usage, from a zone on a public nameserver
• a zone scenario that has more than 1 horizon (CNAMES are good here too)
• forcing redirection of lookups to the geographically closest server possessing the record
• different hosts are assigned different DNS servers (e.g. monitored/logged lookups, unmonitored lookups)

This is invalid BTW, a CNAME cannot sit in the root of a zone, it must be an A record so you must CNAME www.example.com to lookup example.com...and I never understood you doing a CNAME to a wildcard anyway...and any rate, that's when I thought the Local IP would differ locally and be identical with a single WAN IP globally...so no global CNAMEs needed. (edit, and no local either, if you truly used the real hostnames and setup DDNS properly).

And for entirely separate reasons, the folks at dropwww.com and no-www.org would get you!!!

Have a good weekend all...let's help solve this one...

EDIT...

Screenshot from 2020-03-06 08-19-51784×74 6.81 KB

Whoa I think understand your problem now...

My log:

074552       : Waiting 600 seconds (Check Interval)
 075552       : Detect registered/public IP
 075552       : #> /usr/bin/nslookup example.com  >/var/run/ddns/xxxxxx.dat 2>/var/run/ddns/xxxxxx.err
 075553       : Registered IP 'xxx.xxx.xxx.xxx' detected
 075553  info : Rerun IP check at 2020-03-06 07:55
 075553       : Detect local IP on 'network'
 075553       : Local IP 'xxx.xxx.xxx.xxx' detected on network 'wan'

Please tell me you're updating a 2nd domain that isn't the zone in question...then I could understand the idea of doing a CNAME to that.

I would assume your OpenWrt would get the IP you assigned...or was received by DHCP to the host...hence no update...or a private IP...?

I would think it would always change to the WAN IP...and this leaves your local lookup unaffected.

Please don't say this has been your issue all along...cause I don't see the problem:

or you're using, script or URL???

or giving an [incorrect] DDNS update somewhere else?

OMG...PLEASE DON'T say you're using

• www.example.com ; or
• example.com

as the router's (or any device's) local hostname?

I really still don't get how a simple setup, even with a public domain won't produce:

• local lookup local (your devices receive an IP and announce their hostname, and you statically added the records); and
• global lookup global (all DDNS names go to the proper IP; cause you set them up that way - you only have 1 WAN IP and if you get another, that config would be pointed to it instead - this cannot be difficult with 1 WAN IP)

...even if DDNS sees a Local IP via nslookup and then checks WAN before updating.

it seems like everything you are doing is to avoid the problem that reverse lookups return a random name from among the names you use?

like if you have shm0.foo.org and www.foo.org both showing the same IP in the hosts file, then reverse lookups say www.foo.org but you want shm0.foo.org

is that right? if that's the issue then you should make www.foo.org a cname for shm0.foo.org. Yes.

but this should be global... not different internally and externally.

I still don't think this precludes you from just doing shm0 as a static hosts file entry with ips using internal IP.

Basically any time you want an A or AAAA record on the public DNS you can have a hosts file entry that dnsmasq will "masquerade" for you to your internal IP... that's literally the reason it was written afaik.

The host file solution is just bad.
Also when using host file for ad blocking, it overwrites 127.0.0.1 or 0.0.0.0.
When you netstat or something else everything is screwed.
Host file is no go for me.

Well, with cname on the internal/local site it is possible to replicate a 1:1 mapping with cnames.

What about ULA? Should they be used or not?

overwrite 127.2.17.37 instead...

To be clear here's what I mean by a hostfile solution... suppose you have 3 servers on your LAN, named box1, box2, box3. Then in your hosts file you have:

192.168.1.11 box1.public.com
fd99:9999::1:1 box1.public.com

192.168.1.12 box2.public.com
fd99:9999::1:2 box2.public.com

192.168.1.13 box3.public.com
fd99:9999::1:3 box3.public.com

Now, on the public DNS of the internet assuming 99.99.11.11 is your public IP, you have:

www.public.com CNAME to box1.public.com
ftp.public.com CNAME to box2.public.com
sip.public.com CNAME to box3.public.com

99.99.11.11 box1.public.com
2001:db8::1:1 box1.public.com

99.99.11.11 box2.public.com
2001:db8::1:2 box2.public.com

99.99.11.11 box3.public.com
2001:db8::1:3 box3.public.com

From outside, everyone CNAMEs to a box, all the boxes appear to have the same IPv4 address, but different public ipv6 addresses, and your router port-redirects appropriately for ipv4...

from inside, everyone still CNAMEs to a box, but the hosts file has the internal IP addresses in it, so that the addresses come back right for the internal address.

This is what is normally done for split horizon as far as I know.

Well, that is a possibility

But this will expose the internal hostnames to the public.
I have it the other way around.

Public Site:

99.99.11.11 www.public.com
2001:db8::1:1 www.public.com

99.99.11.11 ftp.public.com
2001:db8::1:2 ftp.public.com

99.99.11.11 sip.public.com
2001:db8::1:3 sip.public.com

Internal site:

192.168.1.11 box1.public.com
fd99:9999::1:1 box1.public.com

192.168.1.12 box2.public.com
fd99:9999::1:2 box2.public.com

192.168.1.13 box3.public.com
fd99:9999::1:3 box3.public.com

www.public.com CNAME to box1.public.com
ftp.public.com CNAME to box2.public.com
sip.public.com CNAME to box3.public.com

I just noticed it is possible to enter a DNS server in DDNS script config.
So there is no need to create a separate subdomain. (to make ddns domain lookup work.)

I use DHCPv6 static leases. Makes things easier with dynamic prefix.
I made this simple script to get the public IP of a host:

#!/bin/ash
get_odhcpd_lease_file() {
  local lease_file

  if lease_file="$(uci -q get dhcp.odhcpd.leasefile)"; then
    echo "${lease_file}"
    return 0
  else
    return 1
  fi
}

get_host_ipv6() {
  local isp_prefix="${1}"
  local host_name="${2}"
  local host_ipv6

  if host_ipv6="$(grep -E "^${isp_prefix}.+${host_name}" "$(get_odhcpd_lease_file)" | cut -f1)" && [ -n "${host_ipv6}" ]; then
    echo "$host_ipv6"
    return 0
  else
    return 1
  fi
}

get_host_ipv6 "${@}"

exit 0

It gets the GULA IP from the odhcpd lease file. Paramters are: isp_prefix internal_hostname
Works good so far with ddns scripts.

//edit
Maybe is should add this here too.
To maintain a firewall rule thats opens a port for host with static suffix but dynamic prefix:
For Example:
ISP Prefix: 2001:1234
Host gets static ::1 suffix from DHCP
UCI firewall config:

config rule
  option name 'WAN6-FORWARD-LAN-Accept-HTTPS'
  option family 'ipv6'
  option proto 'tcp'
  option src 'wan'
  option dest 'lan'
  option dest_port '443'
  option extra '-d 2001:1234::1/FFFF:FFFF::FFFF'
  option target 'ACCEPT'