Split-horizon DNS is a feature, not a separate server. It is a DNS configuration technique used to provide different DNS query results to different sets of clients based on their network location or source IP address. Dnsmasq does support split-horizon DNS configuration.
Thatās what dnsmasq is for, so that the āhostsā file is configured only for the queries from inside of the network.
Sure:
In my case I have two servers running on Ubuntu in a Network behind a Fritzbox Router.
The Local Network is
192.168.188.0/23
That represents a subnet with an IP address range of 192.168.188.0 to 192.168.189.255
The servers (with- or without) internet access (DMZ) is located In the range 192.168.189.0/24
My private network uses the 192.168.188.0/24 ip-range.
192.168.189.1 - nextcloud, mysql, redis-server, dnsmasq
192.168.189.101 - clamd, dnsmasq, unison-replica of the nextcloud on 192.168.189.1 to create consistant backups
As you see, I use 2 dnsmasq to be more redundant but it works with one as well.
Since ubuntu uses systemd.resolved, I use the following configuration, which is on both servers almost the same. Here the config on 192.168.189.101:
systemd.resolved
man systemd-resolved.service
We have to change the behaviour of systemd.resolved.
edit /etc/systemd/resolved.conf to make it look somhow like this:
# My favorite DNS servers:
DNS=80.80.80.80 9.9.9.9
DNSStubListener=no
Now remove /etc/resolv.conf, which is a symlink to /run/systemd/resolve/stub-resolv.conf and make a static /etc/resolv.conf:
echo "nameserver 127.0.0.1" > /etc/resolv.conf
This is to tell the host system to send its dns-queries to localhost, which now will be served by dnsmasq
dnsmasq
man dnsmasq
config files:
/etc/default/dnsmasq:
ENABLED=1
DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.conf.mine"
CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new
IGNORE_RESOLVCONF=yes
/etc/dnsmasq.conf.mine:
domain-needed
bogus-priv
resolv-file = /run/systemd/resolve/resolv.conf
server = /188.168.192.in-addr.arpa/192.168.188.1
listen-address = 127.0.0.1
listen-address = 192.168.189.101
addn-hosts = /etc/dnsmasq.addn-hosts.local
/etc/dnsmasq.addn-hosts.local
192.168.188.1 fritzbox-7580.fritz.box fritzbox.fritz.box fritzbox fritz.box fritzbox-7580 home.box heimat.box
192.168.189.1 alias1 alias2 %MYNEXTCLOUDDOMAIN.TLD%
192.168.189.101 optiplex-380-0.fritz.box optiplex-380-0.fritzbox optiplex-380-0
255.255.255.255 broadcast
As you can see, the file /etc/dnsmasq.addn-hosts.local is now the āhostsā file for all queries coming from within the local network. All other queries will be served with the results from the dns servers configured in /etc/systemd/resolved.conf
Now you can do much more with dnsmasq. To redirect all queries from google websites to google dns, which is a bit faster, since it is their realm, add this lines to /etc/dnsmasq.conf.mine:
server = /ytimg.com/8.8.8.8
server = /ytimg.com/8.8.4.4
server = /youtube.com/8.8.8.8
server = /youtube.com/8.8.4.4
server = /googlevideo.com/8.8.8.8
server = /googlevideo.com/8.8.4.4
server = /ggpht.com/8.8.8.8
server = /ggpht.com/8.8.4.4
server = /gvt3.com/8.8.8.8
server = /gvt3.com/8.8.4.4
server = /gvt2.com/8.8.8.8
server = /gvt2.com/8.8.4.4
server = /gvt1.com/8.8.8.8
server = /gvt1.com/8.8.4.4
server = /doubleclick.net/8.8.8.8
server = /doubleclick.net/8.8.4.4
server = /googlesyndication.com/8.8.8.8
server = /googlesyndication.com/8.8.4.4
server = /googleapis.com/8.8.8.8
server = /googleapis.com/8.8.4.4
server = /google.com/8.8.8.8
server = /google.com/8.8.4.4
server = /google.de/8.8.8.8
server = /google.de/8.8.4.4
server = /google.nl/8.8.8.8
server = /google.nl/8.8.4.4
server = /google.ch/8.8.8.8
server = /google.ch/8.8.4.4
You can log all dns-queries dnsmasq makes to tail -f it live. Therefore create a logdir:
mkdir /var/log/dnsmasq
chown dnsmasq.adm /var/log/dnsmasq
apend this lines to /etc/dnsmasq.conf.mine
log-queries
log-facility = /var/log/dnsmasq/dnsmasq.log
In this case, you will have to setup a logrotate rule for that logfile:
/etc/logrotate.d/dnsmasq.log
size 100 M
daily
rotate 2
compress
missingok
notifempty
postrotate
service dnsmasq force-reload
endscript
}
Now you can watch dnsmasq live whyle doing its work:
tail -F /var/log/dnsmasq/dnsmasq.log
I have the same configuration on the server 192.168.189.1, with the only diference is in
/etc/dnsmasq.conf.mine
listen-address = 192.168.189.1
Finaly you have to configure your router to not automatically use the DNS server of the provider, but instead to use the DNS server(s) that you have set up (192.168.189.1 and 192.168.189.101 in my case) as the primary (and eventualy secondary) name servers.
I hope I could help
Even though I have created this post with the greatest possible care, I know with certainty that I (as usual) made at least small mistakes. If you find any inaccuracies please point them out to me, I will correct them immediately if possible or your comment will be the correction.
Happy hacking