How to provide "Split-horizon" DNS service with the Internet Utilities

The general case

"Split horizon" DNS service is where a set of hosts see an "internal" view of the DNS that is different to the "external" view of the DNS as seen by the rest of Internet.

Split horizon DNS service is easy to set up with the Internet Utilities. Here is how to set up split horizon DNS service for the domain some.corp.:

  1. Set up the General-purpose Content DNS Server to provide the "internal" view of the DNS, listening on a machine-local IP address if possible, such as 127.0.0.1 .

  2. Add all of the information to be contained in the "internal" view to the General-purpose Content DNS Server's database, using the HOSTS file conversion utility to convert any %ETC%\HOSTS data that you might want to use.

  3. Set up an instance of the Resolving Caching Proxy Server on the same machine, listening on a site-local (non-externally-routed) IP address if possible, such as 10.0.0.1 .

  4. Configure an override that will cause DNSRCPD to consult the internal content DNS server on its own machine (whose machine-local IP address to listen upon you picked above) in preference to the public DNS when looking up some.corp. and its subdomains: 

    echo 127.0.0.1 > Content\@some.corp.

  5. Configure the DNS clients on all hosts that need to see the "internal" view of the DNS so they are directed to send all of their queries to the resolving caching proxy DNS server.

  6. On a separate, public, IP address run a second content server to provide the "external" view of the DNS. One can choose to configure this content server just as if one were hosting one's own domain or one can configure the "external" view of the domain to be anonymous.

A special case for badly-written server softwares

Sometimes it is necessary to cope with badly written Internet server softwares that erroneously think that reverse lookup is a security measure. How to do this is just a special case of split horizon DNS service, using a fixed-data content DNS server instead of a general-purpos content DNS server:

  1. Set up the Fixed-data Content DNS Server to provide the "internal" view of reverse lookups, listening on a machine-local IP address if possible, such as 127.1.0.1 . Do not configure it with an explicit domain name. The default domain names are what is required here.

  2. Set up an instance of the Resolving Caching Proxy Server, if you haven't already done so, exactly as in step #3 of the general case procedure.

  3. Configure overrides that will cause DNSRCPD to consult the internal fixed-data content DNS server on its own machine (whose machine-local IP address to listen upon you picked above) in preference to the public DNS when looking up in-addr.arpa., ip6.arpa., and their subdomains: 

    echo 127.1.0.1 > Content\@in-addr.arpa.
echo 127.1.0.1 > Content\@ip6.arpa.

  4. Configure the DNS clients exactly as in step #5 of the general case procedure.

The Internet Utilities are © Copyright Jonathan de Boyne Pollard. "Moral" rights are asserted.