Split DNS setup possible?

[adyanth]

I have a domain, where some services are hosted internally, and some on the cloud.

My current setup looks like this for my public domain resolution from inside:
Pi-Hole -> conditional forward public.site to bind9 -> RPZ zone for internal entry mapping to internal domain private.lan (handled by another authoritative server for private.lan) -> Any unresolved domain -> external lookup through cloudflared.

I would like to simplify this with blocky. Right now, I have it as follows, where 10.10.10.4 is the internal authoritative resolver for private.lan.

    conditional:
      rewrite:
        public.site: private.lan
      mapping:
        private.lan: 10.10.10.4

This works perfectly well for any domains that are hosted internally. But for any services hosted on the cloud, it is not accessible since it does not have a private.lan address. How can I achieve this flow through blocky?

Or will I be able to do this once the #355 or #476 is solved, by setting the first resolver to the internal one and the next to the public one? How can I undo the rewrite before querying the public resolver? Can we have a fallback for the rewrite if it receives an NXDOMAIN?

[0xERR0R]

Do "any services hosted on the cloud" have the same domain name?

[adyanth]

No. By domain, I mean subdomains here. For example, hosted.public.site should change to hosted.private.lan and be resolved by 10.10.10.4. But uptime.public.site is in the cloud and there is no entry for uptime.private.lan in 10.10.10.4, so should be resolved by the default upstream to it's real public address.

[adyanth]

The main reason for this is that, if I do not rewrite the domain for locally hosted services, it will go to the internet and come back to my home, which is wasteful when trying to stream/upload/download files etc.

[adyanth]

If I am reading this correctly:

blocky/resolver/rewriter_resolver.go

Lines 59 to 85 in 01b7947

	// Resolve uses the inner resolver to resolve the rewritten query
	func (r *RewriterResolver) Resolve(request *model.Request) (*model.Response, error) {
	logger := withPrefix(request.Log, "rewriter_resolver")
	original := request.Req
	rewritten, originalNames := r.rewriteRequest(logger, original)
	if rewritten != nil {
	request.Req = rewritten
	}
	logger.WithField("resolver", Name(r.inner)).Trace("go to inner resolver")
	response, err := r.inner.Resolve(request)
	if err != nil {
	return response, err
	}
	// Revert the request: must be done before calling r.next
	request.Req = original
	if response == NoResponse {
	// Inner resolver had no response, continue with the normal chain
	logger.WithField("next_resolver", Name(r.next)).Trace("go to next resolver")
	return r.next.Resolve(request)
	}

Here in line 78, we revert the request back to the original, line 80 will be true since my DNS server indeed returned No Answer, shouldn't line 84 fallback to the parallelresolver and resolve with my default resolver?

blocky/server/server.go

Lines 408 to 409 in 01b7947

	resolver.NewRewriterResolver(cfg.Conditional.RewriteConfig, conditionalUpstreamResolver),
	parallelResolver,

Which means, should this not work already and send the original request to uptime.public.site to the default resolver?

[adyanth]

@0xERR0R do you think what I am reading above is correct? If so, any idea why it does not fall back once the resolution fails under conditional?

[0xERR0R]

In line 80: NoResponse means the "inner" resolver returns nothing/empty struct. In your case you get a valid answer with NXDOMAIN.

I think, this behavior is correct. You have a definition of conditional mapping for "private.lan". All querires for "public.lan" will be rewritten zu "private.lan". If you query for "*.public.lan" the resolver must NOT ask the default upstream, otherwise you will expose DNS names of your private network to (maybe untrusted) public DNS.

I think we need another configuration to solve this problem/challenge.

[adyanth]

I do not get an NXDOMAIN, I get a No Answer:

adyanth@ubuntu-nuc:~$ nslookup uptime.private.lan 10.10.10.4
Server:		10.10.10.4
Address:	10.10.10.4#53

*** Can't find uptime.private.lan: No answer

adyanth@ubuntu-nuc:~$ dig @10.10.10.4 uptime.private.lan

; <<>> DiG 9.16.1-Ubuntu <<>> @10.10.10.4 uptime.private.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58857
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;uptime.private.lan.		IN	A

;; AUTHORITY SECTION:
private.lan.		3600	IN	SOA	windows-server-nuc.private.lan. hostmaster.private.lan. 984 900 600 86400 3600

;; Query time: 3059 msec
;; SERVER: 10.10.10.4#53(10.10.10.4)
;; WHEN: Wed Jul 06 12:49:27 IST 2022
;; MSG SIZE  rcvd: 124

Either way, a new config option I can think of is a fallback: true under the conditional block that will send any queries that failed to the parent/default resolver, explicitly asking to ignore the risk of exposing the original DNS request to the public.

[0xERR0R]

We have something similar for custom mapping (https://0xerr0r.github.io/blocky/configuration/#custom-dns): configuration parameter "filterUnmappedTypes"

[adyanth]

I have submitted PR #593 which solves my issue. Can you please verify if it works as blocky should according to you?

[0xERR0R]

Just for my understanding:
hosted.public.site -> should be resolved by your internal private resolver 10.10.10.4. Site is hosted internally
uptime.public.site (or everything *.public.site)-> should be resolved by external (public) resolver. Site is hosted in the public cloud

If you have a limited number of sites, you can specify a mapping for each site -> but this must be maintained ;(

[adyanth]

Yes, that is correct. But it is not just one or two. There are 20+ subdomains now, and enternal-dns adds new entries to the local DNS server when new services are hosted. Maintaining that manually is not an option which is why currently I have another bind9 running to maintain the RPZ zone and another complex external DNS setup to update it as well.