Proper behavior for a DNS Server when it is queried for a domain it doesn't control in the case of Split-Horizon DNS?

tcpip domain-name-system internal-dns split-dns

So one of our cloud providers offers a lower-latency, zero-rated "Internal Networking" option between VMs. The interfaces on the internal network are in the 10.x.x.x IP Space. When one of our servers queries the hostname of another server on the internal network, we'd like it to resolve to the address on the internal network rather than the public routable address which incurs transfer accounting.

We've implemented a small server that does exactly this, when the source IP is a 10.x.x.x IP, then it'll return the internal address.

What we don't want to do is have our internal server be the sole primary DNS server for our VMs. We would have it be the first server on the client list, followed by a public dns service like 1.1.1.1.

So if the internal DNS is queried for google.com (which we don't own), what is the proper response we should return to the client? Should we simply ignore the request or should we return an NxDomain response?

Thank you for any advice!


If you use the server a recursive server, it should respond with the correct reply resolved from the authoritative infrastructure. If you return NXDOMAIN, the DNS client trusts the answer and won't continue to the other servers. If you don't reply anything, that would only cause unnecessary timeout delays.

Also, DNS clients don't typically have the functionality to understand such conditional resolution, but DNS servers do. Therefore, one option to consider is to install a local DNS server on every server that will perform the conditional forwarding. In this case, the only DNS server you'd configure on your resolv.conf would be the localhost i.e. 127.0.0.1.

The examples are in BIND configuration format, as you don't specify your flavor in the question.

options {
    forwarders { 1.1.1.1; };
}

zone "example.com" {
    type forward;
    forward only;
    forwarders { 10.8.8.8; };
};

Or, if the connection to the internal DNS server is unstable, the servers could also host copies of the internal zones via zone transfers:

zone "example.com" { 
    type slave; 
    file "/etc/bind/db/example.com"; 
    masters { 10.8.8.8; }; 
};

Naturally the master server should then allow the transfers, too.

Related

Change incoming packet source IP
Email "submission" and "relay" event
Shorewall with docker
RACADM reboot to Lifecycle Controller
Fail2ban does not perform regex on odoo log
pip upgrade downloading every previous version until storage is full
fail2ban : read whitelist from a database
configure saslauthd with PAM
AD Domain Controller Won't Boot
iptables not blocking only IPv6 IP's on Ubuntu 20.04 with iptables-persistent, IPv4 OK
SFTP connection fails with "500 Syntax error, command unrecognized"
(rsync on) mounted volume: hard links seem to be preserved, but space calculated as full files