Creating a Split Horizon DNS with Client Differentation

A split horizon DNS service returns different results to queries based on particular criteria, usually IP address. A typical service allows DNS client applications on the internal network can see the full range of internal domain names and those on external networks see a limitied and possibly different set.

Tinydns is an authorative server which is part of the larger software package called djbdns. Tinydns is capable of serving a split horizon service in one of two ways. The first method is running two separate instances of tinydns listening on two separate interfaces. Each instance of tinydns serves a different set of DNS data. The second is client differentation.

Configuring Client Differentation

Client differentation allows you to specify which address is returned based on the client's location group. A location group is an IP address or a range of IP addresses specified in the data file by one or two ASCII letters. This method is preferred over the first one since it reduces the number of services running and reduces the number of CDB files to manage.

The example demonstrates a tinydns data file using client differentation.

%in:192.168.1
%ex
+internal.domain.xyz:192.168.1.2:::in
+external.domain.xyz:1.2.3.4:::ex
+www.domain.xyz:1.2.3.5

The first line declares the location group "in" for the subnet 192.168.1.0/24. The second line declares the location group "ex". Since there is no IP address range specified, "ex" covers all other IP address ranges not specified, in this case, everything but 192.168.1.0/24. The third line specifies the record "internal.domain.xyz" which tinydns will only return to the 192.168.1.0/24 subnet. The fourth line line specifies the record "external.domain.xyz" which tinydns will return to every address which is not in the 192.168.1.0/24 subnet. The last line specifies the record "www.domain.xyz" which tinydns will return to all addresses.

Location groups are specified by the use of the percent (%) symbol followed by one or two ASCII letters which identify the location group followed by a colon (:) and a optional IP addresses or range of IP addresses. If no range is specified on the "%" line, the location group covers all IP addresses not covered by a location group. If any other line does not have a location group at the end of it, that record will be visible to clients from ALL location groups.

2007-03-12 Updated the example and description section to include a record seen by all groups. Thanks to John Simspon for the suggestion.

[Valid HTML 4.01 Trans] Validated by HTML Validator (based on Tidy) Copyright 2006-2008 Patrick R. McDonald <marlowe@antagonism.org> (GPG key)
This document last modified (none)