Merging results from different domain name servers

I have a problem with trying to set up some DNS servers (these are for
local DNS serving, and are not publicly accessible). I don't know if it
is possible to do what I want here, and I'd value any advice on how to
do it, or suggestions on what else I could try.


First, here is the "company" network:

router: eth0 connected to internet, with global IP (say, 20.0.0.1)
eth1 connected to internal LAN, IP 10.0.0.1
running dnsmasq for local queries, resolving local names and
caching lookups from ISP's DNS servers.
openvpn server
Incoming port 80 traffic on eth0 forwarded to "http"

http: IP 10.0.0.2
Running apache, with name-based virtual hosting. Everything
addressed to "www.company.com" is forwarded to "www", and
everything addressed to "www2.company.com" forwarded to "www2"

www: IP 10.0.0.3
Web server

www2: IP 10.0.0.4
Another web server

officeclient: IP 10.0.0.5


On a public DNS server, all "*.company.com" addresses resolve to the
global 20.0.0.1


Home network:

homerouter:
global IP 20.0.0.2, lan ip 10.1.0.1
running dnsmasq for local queries, resolving local names and
caching lookups from ISP's DNS servers.
homeserver:
ip 10.1.0.2

homeclient: ip 10.1.0.3
Sometimes running openvpn, connecting to router.company.com


When "officeclient" looks for "www.company.com", the dnsmasq on "router"
resolves it to 10.0.0.3, and "officeclient" gets direct access by web
browser, ssh, nfs, or whatever.

When "homeclient" looks for "www.company.com", the dnsmasq on
"homerouter" passes the query to the ISP's DNS server, which returns
20.0.0.1. Web access will be forwarded by "router" to "http", which
will pass on the request to "www". If "homeclient" tries "ssh
www.company.com", it will actually target "router", which will reject
incoming ssh traffic.

So far, this is exactly what I want, and works fine.


When "homeclient" connects with openvpn to "router", it then has direct
access to the internal servers. "ssh 10.0.0.3" gives "homeclient" ssh
access to "www".

If the openvpn server is configured to push its DNS server to the
client, then "homeclient" will use "router"'s DNS server. Then
"www.company.com" will resolve to 10.0.0.3, and homeclient has direct
access to the "company.com" machines by name. However, attempts to
lookup "homeserver" will fail as "router" does not know about "homeserver".

If the openvpn server does not pass on its DNS server, "homeclient"
cannot access the internal company machines by name - "www.company.com"
will still resolve to 20.0.0.1. However, lookups of "homeserver" will
work fine.


What I would really like is for "homeclient" to use /both/ dns servers
when the vpn is connected. I want "company.com" names to be searched on
"router" (over the vpn), and other names looked up locally on "homerouter".


Is there any way I can get this sort of flexibility? I'm beginning to
think the only way to get close is to put "homeserver" in the hosts file
on "homeclient", and let the vpn server push the DNS server to
"homeclient" when it is connected.

David Brown <(E-Mail Removed)> writes:
>
> What I would really like is for "homeclient" to use /both/ dns servers
> when the vpn is connected. I want "company.com" names to be searched
> on "router" (over the vpn), and other names looked up locally on
> "homerouter".
>
>
> Is there any way I can get this sort of flexibility? I'm beginning to
> think the only way to get close is to put "homeserver" in the hosts
> file on "homeclient", and let the vpn server push the DNS server to
> "homeclient" when it is connected.

If you're doing what I think you are, dnsmasq can do this. Part of my
home dnsmasq configuration is

server=/vpn/10.8.0.1
server=/0.8.10.in-addr.arpa/10.8.0.1

which says to use nameserver 10.8.0.1 -- which is my openvpn and dnsmasq
server at school -- for lookups in the .vpn domain (that's what I use as
the domain for my VPN -- the fact there is no such TLD works out quite
nicely for me!) and the 0.8.10.in-addr.arpa domain for reverse lookups.

Over at school, I've got similar lines in the configuration sending DNS
searches in the wb.pfeifferfamily.net domain to my home dnsmasq server.
pfeifferfamily.net, meanwhile, is publically accessible and goes off to
my web hosting company.

David Schwartz wrote:
> On Jul 23, 4:25 am, David Brown <da...@westcontrol.removethisbit.com>
> wrote:
>
>> What I would really like is for "homeclient" to use /both/ dns servers
>> when the vpn is connected. I want "company.com" names to be searched on
>> "router" (over the vpn), and other names looked up locally on "homerouter".
>>
>> Is there any way I can get this sort of flexibility? I'm beginning to
>> think the only way to get close is to put "homeserver" in the hosts file
>> on "homeclient", and let the vpn server push the DNS server to
>> "homeclient" when it is connected.
>
> Set up a nameserver that serves exactly the responses you want. Then
> configure the clients to use that nameserver.
>

The trouble is that the nameserver does not know what the client wants,
as it depends on whether the client is connected to the vpn or not.

Joe Pfeiffer wrote:
> David Brown <(E-Mail Removed)> writes:
>> What I would really like is for "homeclient" to use /both/ dns servers
>> when the vpn is connected. I want "company.com" names to be searched
>> on "router" (over the vpn), and other names looked up locally on
>> "homerouter".
>>
>>
>> Is there any way I can get this sort of flexibility? I'm beginning to
>> think the only way to get close is to put "homeserver" in the hosts
>> file on "homeclient", and let the vpn server push the DNS server to
>> "homeclient" when it is connected.
>
> If you're doing what I think you are, dnsmasq can do this. Part of my
> home dnsmasq configuration is
>
> server=/vpn/10.8.0.1
> server=/0.8.10.in-addr.arpa/10.8.0.1
>
> which says to use nameserver 10.8.0.1 -- which is my openvpn and dnsmasq
> server at school -- for lookups in the .vpn domain (that's what I use as
> the domain for my VPN -- the fact there is no such TLD works out quite
> nicely for me!) and the 0.8.10.in-addr.arpa domain for reverse lookups.
>
> Over at school, I've got similar lines in the configuration sending DNS
> searches in the wb.pfeifferfamily.net domain to my home dnsmasq server.
> pfeifferfamily.net, meanwhile, is publically accessible and goes off to
> my web hosting company.

I've certainly thought about something similar. If the home network
were connected (as a network) with the company network by vpn, then
dnsmasq's domain-specific server setting would be the right choice.
However, I want the vpn running only on the client machine (other users
on the home network should not have access to the company network).

I hadn't thought about the need for reverse lookups in the dnsmasq setup
- thanks for including that here.

A possibility would be to run a local dnsmasq server on the client,
triggered to start with the vpn tunnel. The local dnsmasq server would
pass anything to "company.com" through the vpn to the company's dnsmasq
server, and anything else to the upstream dns server (i.e., the home
router). This would also make the solution independent of the home
network, and therefore equally good on a laptop that could be used on
other networks.

Now the question is - does dnsmasq run on windows? (I guess google has
some answers, but perhaps people here have tried it.) I run Linux on
several machines, but I'm not the only one working here, and there are
others running windows on laptops who would be interested in this.

David Brown <(E-Mail Removed)> writes:
>
> A possibility would be to run a local dnsmasq server on the client,
> triggered to start with the vpn tunnel. The local dnsmasq server
> would pass anything to "company.com" through the vpn to the company's
> dnsmasq server, and anything else to the upstream dns server (i.e.,
> the home router). This would also make the solution independent of
> the home network, and therefore equally good on a laptop that could be
> used on other networks.

This is pretty much what I was doing until very recently -- I only had a
single machine at home on the vpn, and that machine ran dnsmasq. I went
ahead and ran it (with the same config file) whether the vpn was up or
down. The fact that dnsmasq was trying to use the vpn to do some of its
searches when the vpn wasn't up wasn't a problem in practical terms,
since I knew if it was up or down, and I didn't try dns queries on the
vpn when it was down (or I said something impolite and killed the
request when I realized it was taking a long time!).

> Now the question is - does dnsmasq run on windows? (I guess google
> has some answers, but perhaps people here have tried it.) I run Linux
> on several machines, but I'm not the only one working here, and there
> are others running windows on laptops who would be interested in this.

virtualbox?
--
Klingon programs don't have parameters. They have arguments and win
them (Walter Bushell)