Split dns; internal A local record with rest of the domain resolved via global forward?

[dmgeurts]

Is there a way to add a simple split dns record? I need to spoof a public DNS record to a local IP address.

I'm hoping I've missed something glaringly obvious.

[mattpascoe]

If I'm understanding your request correctly I would have to say that, no, it is not possible. More so from a DNS perspective than anything else. Short of adding an /etc/hosts entry, I am un-aware of a way to make an internal DNS server handle one IP address within a domain but the rest of the entries resolve on another dns server.

DNS resolvers typically function such that each domain is handled as a whole. So if example.com is hosted elsewhere and you wanted to have something.example.com resolve on your own server, then your dns resolver layer would need to know how to delegate the request to the proper name server.

It may be possible to set up an actual subdomain as this single local record.. then the subdomain itself becomes your A record in the form of subdomain.example.com having an entry like '@ IN A 1.1.1.1'... then your dns would have to delegate that subdomain to your master. This could get complicated.

I believe this article relates? https://serverfault.com/questions/65465/can-i-create-dns-records-for-some-hosts-delegate-other-queries-in-the-same-doma

I've personally not tried this with ONA..in theory it might work.. Guess its worth a try!

[dmgeurts]

Yes, your understanding is correct. For example; the Palo Alto firewall I use allows this in the DNS config, but I'm trying to not use the DNS function there as a primary source in order to avoid fragmentation of DNS records/rules across too many devices.

The FQDN zone is a decent alternative for what I need, thank you for the suggestion. If one needs more than the odd record then, yes, this could get cumbersome, but possibly the only correct way if it's a 3rd party domain.

Thinking about it, where one owns the domain, depending on people's needs one could introduce a sub-domain just for domains that need a split domain. This requires careful planning before taking an FQDN into production use, Getting users and apps to change domain names can be a real pain:

Master DNS zone example.com server.a A/AAAA

Private DNS zone a,example.com server A/AAAA

To be able to use this one would need to have control over the Master DNS server. Which in my case I do have, but for a fair few valid purposes, many people won't.

Worth adding split DNS as an ONA feature? Some motivation:

1. DNS Blackhole: The Pihole project and Palo Alto's Firewall DNS Blackhole.
2. DNS split horizon: Reach 3rd party domain or FQDN via VPN rather than publicly & Connect to an internal mirror or a public server, to avoid going out and back through a firewall.

Using /etc/hosts is easy for Linux and Mac users (if they have sudo privileges for doing so), but isn't user friendly and causes issues when people are mobile, meaning they need to manually comment out the local entry when not in the office.

[dmgeurts]

This is the solution I was looking for, just posting here in case anyone else comes looking for the same feature. https://serverfault.com/questions/18748/overriding-some-dns-entries-in-bind-for-internal-networks