mynotes

User Tools

Site Tools

Trace: Split DNS (Split Horizon)
linux:bind9:bind-split-dns_main

Table of Contents

Split DNS (Split Horizon)

Split DNS, also called split horizon, is the capability of a nameserver to manage and present different entries of a zone based on conditions like source IP address of a client.

Generating TSIG Keys

Debian Package required: bind9-utils

Generate different keys and use them in bind master and slave configuration. By default the key is named “tsig-key” but can just be renamed to anything else. Every time the command is run, it generates a new random key. 

# tsig-keygen -a sha512
key "tsig-key" {
        algorithm hmac-sha512;
        secret "I9eUeZZb1yzH1KJca8E9EnggzCdzpwdMU/BZEBxeJ2hAaBM0gG89w0Cww1P656C4GOhYg8V8JmxkEmyAwJN0vw==";
};

# tsig-keygen -a sha512
key "tsig-key" {
        algorithm hmac-sha512;
        secret "VySFw2z04Mz9PYPUYsrgk32vI+SJaf/mVhH0dPbSwSrkb4KZtb+B1z9ECgAcQuMAMICFQ3I6WgWEaKB+RUCgbw==";
};

A name can be added at the end of the command which will be included in the output 

# tsig-keygen -a sha512 external-key
key "external-key" {
        algorithm hmac-sha512;
        secret "RLtM7tIP6rMl6OcSSoeUzKwPpmT61Vkq1OI6YLZN4/eL+VH9cGSg7Q+cQVh9G5WEVBZPTyTpcBTgtDV9q6MX3A==";
};

# tsig-keygen -a sha512 internal-key
key "internal-key" {
        algorithm hmac-sha512;
        secret "qNwjl2d+N5e4JAzPU5bkDQPQyl52jJqOwVMprBCDNspJcFwNJ/4+WI9BK/bj0WJ8+AHVv2SzgRgSgsPvG37cgg==";
};

# tsig-keygen -a sha512 update-key
key "update-key" {
        algorithm hmac-sha512;
        secret "4FXOw3Y8s0Vnja/TJ2XN9JyRhDNysIjFOa9IztYUQ8SwD6BBnspxEFLe0FTh3BFVxkwtMvQv9C0yaCEJ2gnjhA==";
};

Main Config Primary and Slave Nameserver

vi /etc/bind/named.conf 

cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
#include "/etc/bind/named.conf.default-zones";

Master (primary) Nameserver

vi /etc/bind/named.conf.local 

acl INTERNAL {
                10.0.0.0/8;
                172.16.0.0/12;
                192.168.0.0/16;
};

key "external-key" {
        algorithm hmac-md5;
        secret "DLYrQqPB6ZJMCO/yYQP7/w==";
};

key "internal-key" {
        algorithm hmac-md5;
        secret "j10uJPBhPhhmmDhUwZmqQg==";
};

view INTERNAL {
        match-clients { key internal-key; !key external-key; INTERNAL; };
        server 192.168.19.17 { keys internal-key; };
        //recursion yes;
        zone "steffenrohr.com" {
                type master;
                file "/var/cache/bind/steffenrohr.com.inside.zone";
                notify yes;
                notify-source 192.168.19.1;
                also-notify { 192.168.19.17; };
        };

        //zone "." {
        //      type hint;
        //      file "/usr/share/dns/root.hints";
        //};
};

view EXTERNAL {
        match-clients { !key internal-key; key external-key; any; };
        server 192.168.19.17 { keys external-key; };
        //recursion yes;

        zone "steffenrohr.com" {
                type master;
                file "/var/cache/bind/steffenrohr.com.outside.zone";
                notify yes;
                notify-source 192.168.19.1;
                also-notify { 192.168.19.17; };
        };

        //zone "." {
        //      type hint;
        //      file "/usr/share/dns/root.hints";
        //};
};

Slave (secondary) Nameserver(s)

vi /etc/bind/named.conf.local 

acl INTERNAL {
                //10.0.0.0/8;
                //172.16.0.0/12;
                192.168.0.0/16;
};

key "external-key" {
        algorithm hmac-md5;
        secret "DLYrQqPB6ZJMCO/yYQP7/w==";
};

key "internal-key" {
        algorithm hmac-md5;
        secret "j10uJPBhPhhmmDhUwZmqQg==";
};

view INTERNAL {
        match-clients { key internal-key; !key external-key; INTERNAL; };
        server 192.168.19.17 { keys internal-key; };
        //recursion yes;
        zone "steffenrohr.com" {
                type master;
                file "/var/cache/bind/steffenrohr.com.inside.zone";
                notify yes;
                notify-source 192.168.19.1;
                also-notify { 192.168.19.17; };
        };

        //zone "." {
        //      type hint;
        //      file "/usr/share/dns/root.hints";
        //};
};

view EXTERNAL {
        match-clients { !key internal-key; key external-key; any; };
        server 192.168.19.17 { keys external-key; };
        //recursion yes;

        zone "steffenrohr.com" {
                type master;
                file "/var/cache/bind/steffenrohr.com.outside.zone";
                notify yes;
                notify-source 192.168.19.1;
                also-notify { 192.168.19.17; };
        };

        //zone "." {
        //      type hint;
        //      file "/usr/share/dns/root.hints";
        //};
};

Further information

https://jensd.be/160/linux/split-horizon-dns-masterslave-with-bind
https://vladvasiliu.com/post/20141208-1007-bind_split_view_zone_synchronization/
https://itecnotes.com/server/have-a-intenal-dns-and-a-external-dns-with-the-same-domain/

linux/bind9/bind-split-dns_main.txt · Last modified: 2023/10/14 17:21 by 127.0.0.1
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki