Linux - Configure Cascading DNS

programster · September 10, 2024, 3:41pm

Hello there,

TLDR;

Does anyone know of an easy to deploy “DNS solution” that will allow me to deploy a rudimentary DNS solution similar to my /etc/hosts file, that simply responds to DNS queries that it can anser from a local file (preferably similar to my /etc/hosts file, or an /etc/resolve.conf file in dnsmasq world). Crucually, if it does not have an IP address for a record, it should just respond as such, rather than trying to get an answer from an upstream DNS server, or saying that there is no record. This should hopefully allow my computer to then try and get the answer from the secondary or tertiary DNS servers I have configured. Perhaps one can do this by just deploying a debian/ubuntu server, editing its /etc/hosts file, and configuring it to answer incoming DNS queries with it?

Important Caveat

In case it matters, it is important to note that none of the DNS servers are an authority on a domain. E.g. I may have server1.programster.org configured i one of the DNS servers, and a record for server2.programster.org in the other.

Long Version

I have a bit of a complicated setup to do with the fact that I quite often use a VPN to connect to servers across two different networks, each of which has its own DNS server that knows of its local services behind a NAT. Each of these DNS servers forwards requests that it doesn’t know about to another like Google.

I know that I can configure my linux computer to specify multiple DNS servers, and it appears to always use the first one on the list, unless it is offline, in which case it will use the second one. This will mean that whilst the first one is online, if the record I’m looking for is only in the second one, I won’t retrieve it. I’ve seen that one can configure DNS servers (I’ve only ever configured a dnsmasq server) to forward their requests to each other, but neither of these servers currently have direct access to each other as the networks are not joined in any way and are not publicly accessible. I only have access to both because my computer is inside one, and has VPN’d into the secondary network.

Is it possible to deploy a DNS server (if so please advise how), in order to have it simply look at its local cache (like a resolv.conf file), and if it is not in there, simply answer “I don’t know”, so that my computer can then proceed to the next DNS server in its list, e.g. cascading DNS as my computer tries the first, then second, then the third until it gets an answer.

teltersat · September 10, 2024, 4:09pm

You should look into dnsmasq’s strict order, this may be exactly what you’re looking for: https://linux.die.net/man/8/dnsmasq

For example, I have my router querying my AD for DNS records first (which in turn goes to pihole), and then moving to Quad9 in case the server is offline.

If you’re with Opnsense you can use this guide to enforce it: Help with DNS Settings

eousphoros · September 10, 2024, 7:52pm

There are so many edges to these assumptions that I might die from papercuts but snark aside dnsmasq, unbound, bind, etc can all do this pretty easily. Just be aware that its assured that you will leak dns queries between alpha and beta from the client at some point.

Its a bit more complicated but what I suspect you are looking for is a split view setup with your usage of vpns. Its a bit involved but the tldr is it returns or doesn’t return answers based on the src of the requester.

programster · September 11, 2024, 2:47pm

correct me if I’m mistaken, but a split-view setup appears to revolve around the DNS server giving different responses based on where the request is coming from. I don’t need to do that, as each network’s private DNS server is only accessible from inside that network, and thus, only needs to give one response, which is for requests that come from inside that network. It never gives out responses to the outside world.

As I’ve dug deeper, I believe what I need to do is make use of a subdomain in each network. E.g. the home network can use “server1.home.mydomain.com” whereas servers in the office can use “server2.office.mydomain.com”, and then I can just configure each of the DNS servers to be an “authoritative-only” DNS server that just responds to requests for that subdomain (e.g. office.mydomain.com and home.mydomain.com), which it should have full knowledge of. I don’t think i can have “cascading DNS” like I was hoping where by i could mix records at the same domain level across two different DNS servers.

I’m currently trying my theory with setting up a bind9 server and this tutorial: How To Configure Bind as an Authoritative-Only DNS Server on Ubuntu 14.04 | DigitalOcean