<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
  <!--$Id$-->

  <articleinfo>
    <title>Simple way to set up Split DNS</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2008</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <section>
    <title>What is Split DNS</title>

    <para><firstterm>Split DNS</firstterm> is simply a configuration in which
    the IP address to which a DNS name resolves is dependent on the location
    of the client. It is most often used in a NAT environment to insure that
    local clients resolve the DNS names of local servers to their RFC 1918
    addresses while external clients resolve the same server names to their
    public counterparts.</para>
  </section>

  <section>
    <title>Why would I want to use Split DNS?</title>

    <para>See <ulink url="FAQ.htm#faq2">Shorewall FAQ 2</ulink>.</para>
  </section>

  <section>
    <title>Setting up Split DNS</title>

    <para>Setting up Split DNS is extremely simple:</para>

    <orderedlist>
      <listitem>
        <para>Be sure that your firewall/router can resolve external DNS
        names.</para>
      </listitem>

      <listitem>
        <para>Install the <emphasis role="bold">dnsmasq</emphasis> package
        (<ulink
        url="http://www.thekelleys.org.uk/dnsmasq/doc.html">http://www.thekelleys.org.uk/dnsmasq/doc.htm</ulink>l)
        and arrange for it to start at boot time. There are many dnsmasq
        HOWTOs on the Internet.</para>
      </listitem>

      <listitem>
        <para>Add your local hosts to <filename>/etc/hosts</filename> on the
        firewall/router using their local RFC 1918 addresses. Here's an
        example:<programlisting>#
# hosts         This file describes a number of hostname-to-address
#               mappings for the TCP/IP subsystem.  It is mostly
#               used at boot time, when no name servers are running.
#               On small systems, this file can be used instead of a
#               "named" name server.
# Syntax:
#    
# IP-Address  Full-Qualified-Hostname  Short-Hostname
#

127.0.0.1       localhost

<emphasis role="bold">172.20.0.1      openvpn.shorewall.net   openvpn
172.20.0.2      vpn02.shorewall.net     vpn02
172.20.0.3      vpn03.shorewall.net     vpn03
172.20.0.4      vpn04.shorewall.net     vpn04
172.20.0.5      vpn05.shorewall.net     vpn05
172.20.0.6      vpn06.shorewall.net     vpn06
172.20.0.7      vpn07.shorewall.net     vpn07
172.20.0.8      vpn08.shorewall.net     vpn08
172.20.0.9      vpn09.shorewall.net     vpn09
172.20.0.10     vpn10.shorewall.net     vpn10
172.20.0.11     vpn11.shorewall.net     vpn11
172.20.0.12     vpn12.shorewall.net     vpn12
172.20.0.13     vpn13.shorewall.net     vpn13
172.20.0.14     vpn14.shorewall.net     vpn14
172.20.0.15     vpn15.shorewall.net     vpn15
172.20.0.16     vpn16.shorewall.net     vpn16

172.20.1.1      linksys.shorewall.net   linksys
172.20.1.100    hp8500.shorewall.net    hp8500
172.20.1.102    ursa.shorewall.net      ursa
172.20.1.105    tarry.shorewall.net     tarry
172.20.1.107    teastep.shorewall.net   teastep
172.20.1.109    hpmini.shorewall.net    hpmini

172.20.1.130    lanursa.shorewall.net   lanursa
172.20.1.131    wookie.shorewall.net    wookie
172.20.1.132    tipper.shorewall.net    tipper
172.20.1.133    nasty.shorewall.net     nasty
172.20.1.134    ursadog.shorewall.net   ursadog
172.20.1.135    opensuse.shorewall.net  opensuse
172.20.1.136    centos.shorewall.net    centos
172.20.1.137    fedora.shorewall.net    fedora
172.20.1.138    debian.shorewall.net    debian
172.20.1.139    archlinux.shorewall.net archlinux
172.20.1.140    foobar.shorewall.net    foobar
172.20.1.141    deblap.shorewall.net    deblap
172.20.1.254    firewall.shorewall.net  firewall

206.124.146.254 blarg.shorewall.net     blarg
</emphasis>
# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet

ff00::0         ipv6-mcastprefix
ff02::1         ipv6-allnodes
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts

<emphasis role="bold">2002:ce7c:92b4::1       gateway6.shorewall.net  gateway6
2002:ce7c:92b4:1::2     mail6.shorewall.net     mail6
2002:ce7c:92b4:1::2     lists6.shorewall.net    lists6
2002:ce7c:92b4:2::2     server6.shorewall.net   server6</emphasis>

</programlisting></para>
      </listitem>

      <listitem>
        <para> If your local hosts are configured using DHCP, that is a simple
        one-line change to the DHCP configuration.</para>
      </listitem>
    </orderedlist>

    <para><emphasis role="bold">And that's it!</emphasis> Your local clients
    will resolve those names in the firewall/router's
    <filename>/etc/hosts</filename> file as defined in that file. All other
    names will be resolved using the firewall/router's Name Server as defined
    in <filename>/etc/resolv.conf</filename>.</para>

    <para>Example:</para>

    <para>From an Internet Host:<programlisting>gateway:~ # host linksys.shorewall.net
linksys.shorewall.net has address 206.124.146.180
gateway:~ # </programlisting></para>

    <para>From Tipper (192.168.1.132):<programlisting>teastep@tipper:~$ host linksys
linksys.shorewall.net has address 172.20.1.1
teastep@tipper:~$ </programlisting></para>

    <para>As a bonus, dnsmasq can also act as a DHCP server. Here are some
    exerpts from the corresponding /etc/dnsmasq.conf:</para>

    <programlisting>interface=eth1

dhcp-range=172.20.1.210,172.20.1.219,24h

dhcp-host=00:11:85:89:da:9b,172.20.1.220

dhcp-host=00:1A:73:DB:8C:35,172.20.1.102
dhcp-host=00:25:B3:9F:5B:FD,172.20.1.100
dhcp-host=00:1F:E1:07:53:CA,172.20.1.105
dhcp-host=00:1F:29:7B:04:04,172.20.1.107
dhcp-host=00:24:2b:59:96:e2,172.20.1.109

dhcp-host=00:1B:24:CB:2B:CC,172.20.1.130
dhcp-host=00:21:5a:22:ac:e0,172.20.1.131
dhcp-host=08:00:27:B1:46:a9,172.20.1.132
dhcp-host=08:00:27:31:45:83,172.20.1.133
dhcp-host=08:00:27:28:64:50,172.20.1.134
dhcp-host=08:00:27:4b:38:88,172.20.1.135
dhcp-host=08:00:27:f6:4d:65,172.20.1.136
dhcp-host=08:00:27:dc:cd:94,172.20.1.137
dhcp-host=08:00:27:0f:d3:8f,172.20.1.138
dhcp-host=08:00:27:42:9c:01,172.20.1.139
dhcp-host=08:00:27:5a:6c:d8,172.20.1.140
dhcp-host=08:00:27:da:96:78,172.20.1.141

dhcp-option=19,0           # option ip-forwarding off
dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
dhcp-option=45,0.0.0.0     # netbios datagram distribution server
dhcp-option=46,8           # netbios node type
dhcp-option=47             # empty netbios scope.

dhcp-option=option:domain-search,shorewall.net
</programlisting>
  </section>
</article>