Split horizon DNS, please help me understand it or help me make it working

General questions
1

Hello vyos users.

I’m learning vyos and network in general by using it for my home lab.

At the moment i’m using vyos version:
Version: VyOS 1.3.0-rc5
Release Train: equuleus

In my setup I have:

  • VPN connection to remote network xxxxx.xx.
  • dns forwarding service.

In my local network, dns services is served by:

  • my ISP router
  • maas system

Additionally, one more DNS I need to use is on remote network, connection is configured, I can use dig tool to correctly resolve hostname of remote network xxxxx.xx

I can successfully do:

For my local network, all devices uses dns served by vyos only.

Now I would like to integrate all three DNS services inside vyos: ISP DNS maas DNS, remote network DNS.

I have made following two approaches:

1 ==============================================================

 protocols {
 }
     dns {
         forwarding {
             allow-from 192.168.100.0/24
             allow-from 10.8.5.0/24
             domain maas {
                 server 192.168.110.8
             }
             domain xxxxx.xx {
             	 server 192.168.200.1
             }
             listen-address 192.168.100.1
             listen-address 10.8.5.1
         }
     }
 }
 system {

     host-name vyos-1
     name-server 192.168.1.1
 }

In this approach, hosts from maas domain are resolved correctly, however hosts from xxxxx.xx domain cannot be resolved:

wiesniak@desk:~$ dig host.xxxxx.xx @192.168.100.1

; <<>> DiG 9.16.1-Ubuntu <<>> host.xxxxx.xx @192.168.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51132
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;host.xxxxx.xx. IN A

;; Query time: 40 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: wto sie 17 23:10:22 CEST 2021
;; MSG SIZE rcvd: 54

but still I can ask remote DNS directly and get following answer:

wiesniak@desk:~$ dig host.xxxxx.xx @192.168.200.1

; <<>> DiG 9.16.1-Ubuntu <<>> host.xxxxx.xx @192.168.200.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14898
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 9

;; QUESTION SECTION:
;host.xxxxx.xx. IN A

;; ANSWER SECTION:
host.xxxxx.xx. 2263 IN A 192.168.200.15

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 36 msec
;; SERVER: 192.168.200.1#53(192.168.200.1)
;; WHEN: wto sie 17 23:15:52 CEST 2021
;; MSG SIZE rcvd: 414

2 ==============================================================

 protocols {
 }
     dns {
         forwarding {
             allow-from 192.168.100.0/24
             allow-from 10.8.5.0/24
             domain maas {
                 server 192.168.110.8
             }
             listen-address 192.168.100.1
             listen-address 10.8.5.1
             name-server 192.168.200.1
         }
     }
 }
 system {

     host-name vyos-1
     name-server 192.168.1.1
 }

In this approach, all works, however every resolution is made by remote DNS 192.168.200.1 which I would like to avoid.

Could you please give me some light on it ? especially I don’t understand why it works for maas domain and doesn’t for xxxxx.xx domain.

Best Regards
Greg.

2

By looking at the configuration file, and at the help (and manual) indeed it is strange that the configuration doesn’t work as described.

I would suggest trying to tcpdump on the VPN interface and compare the two DNS requests (one in each setup) to see if something is different.

BTW, in your title you mention “split horizon”, which is something else. (That is resolving the same domains to different IPs, or through different nameservers, depending on the client’s network.)