Split DNS

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Hi hope someone can help out with this problem. 

BR200 + AP330 on the network. 
BR200 provides Addresses and serve as the PPPoE connection over ADSL.

Before it was a Draytek Modem that performed this task with Apple AirPort Extreme. 
When we had this configuration we were able to access internal hosts (NAS) by the FQDN https://mynas.mydomain.com and the certificate validated.

Now with the Aerohive connecting, we supply the same DNS server BR200 but the internal hostnames are not accessible by the FQDN. 

The ports are open for the NAS it works perfectly outside network. 

Is this what I would need split DNS for? or DNAT? 

Photo of George Oosthuizen

George Oosthuizen

  • 9 Posts
  • 1 Reply Like
  • confident

Posted 4 years ago

  • 1
Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi George,

I think I can help you out here; by your description I assume that mynas.mydomain.com is not a publicly resolvable name? By default, a DNS object is created with two public DNS servers (168.143.87.77 and 209.128.124.9), so you would be seeing internal DNS resolution fail if mynas.mydomain.com is not publicly resolvable. However, you can easily set your Aerohive branch router to use a split DNS policy to push traffic for your domain back to your internal DNS server(s) and any other traffic out to internet nameservers to take load off your network infrastructure.

1) Log into your HiveManager, navigate to your Network Policy and click on the network to which your clients will be connecting


2) This will pop up the "Choose Network" box where you will want to click the gear next to the network selected above (which is automatically highlighted), then click "Edit"


3) This will open up the "Edit Network" page. Here you have the choice to either edit an existing DNS Service or create a new one; in this example I am creating a new service, but the steps are mostly similar if editing a service. To create a new service, click the plus ("+") sign


4) In order to set up a Split DNS service, select "Set the router as the DNS server in DHCP offers" and "Set the router to use separate DNS servers for internal and external domain name lookups". This will let you fill out both your internal domain name(es) with associated DNS servers and optionally to either use the DNS server(s) set in your Network Policy under "Additional Settings > Management Server Settings > DNS Server" or server you specify per DNS service. I have used Google DNS below, but you could use any public DNS servers you choose. When you're done, click "Save".


5) Make sure your new split DNS policy is selected for DNS Service, then click Save


6) At this point you can click OK to select the Network you just got done editing, save your Network Policy and push the changes out to the Branch Router. Once these changes are pushed out you should be able to resolve your internal DNS names.

There is an alternate configuration you can use; a split DNS service is usually used to not only reduce name resolution back to your internal DNS servers, but also to send traffic bound for internal resources back over the VPN tunnel  (if configured) while non-internal traffic is sent straight out to the internet. If you want to configure your branch router to resolve all hostnames, at step four configure your DNS service as follows:


This configuration will set your branch router to hand out your internal DNS servers to your clients directly so that all DNS traffic is set to your internal servers for resolution. You can choose to use a Dnsmasq to hand our the branch router's IP address instead of your internal DNS server IP addresses directly, but that is a personal decision. Push either change out to your branch router and you should be up and running.

Hope this helps
Photo of George Oosthuizen

George Oosthuizen

  • 9 Posts
  • 1 Reply Like
Thanks Brian, 

The internal host is accessible from outside, on the https://mynas.mydomain.com:8443 and internally it can only be accessed on https://192.168.0.200:8443 which breaks the certificate validation. 
This network is only basic with no internal DNS server, and rely on the BR200.
Thank you for the explanation you sent, as its something I need to do for another client! 





Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi George,

Unfortunately I'm not sure what can be done if there is no internal DNS server on which to add an A record for the "mynas" hostname. The BR200 cannot function as a DNS server itself, but I am a bit confused by your previous setup as generally neither modems (even a rodem or residential gateway) or an AirPort Extreme (to the best of my knowledge)  support acting as a DNS server. Could you provide a bit more detail with a network diagram that might explain anything I'm missing? 

Thanks in advance
Photo of George Oosthuizen

George Oosthuizen

  • 9 Posts
  • 1 Reply Like
Hey Brian, was a long day! But done some further research and I have been looking in the wrong place. It is not DNS related. Doing a very quick ping from the internet network to mynas.mydomain.com it resolves the external IP without any problems. 

This means that the DNS side works but I do not have access to the internal device through the external IP? 
DNAT?

Photo of Brian Ambler

Brian Ambler

  • 245 Posts
  • 126 Reply Likes
Hi George,

My apologies, I thought from your earlier description that you had an issue accessing this resource from your internal network while access from the outside was successful, can you confirm? Pinging from the internet and resolving your hostname means that (in this example anyway) there is an A record for mynas in the DNS zone file for mydomain.com. This makes your server accessible from the internet by name, but is completely separate from internal DNS resolution.

If there is no internal DNS server to tell your clients how to resolve mynas.mydomain.com to 192.168.1.200, then you will see what you are seeing. So if I understand your problem correctly (please let me know if I do not) then the issue here is that you still require a DNS server inside your network to resolve hostnames to private IP addresses. This is a very standard requirement, and I am not sure how it was not needed in your previous setup; while I will admit that I am not intimately familiar with the ADSL modem you mentioned and Apple's AirPort line, I would be surprised if either one had the ability to act as a DNS server. 

Let me know if I'm still missing something in your description of the issue.