0

Let's say that I have several machines (or VMs) on an internal (10.0 or 192.168 class) LAN, that need to communicate with each other, but instead of configuring a somewhat dynamic, tedious to keep updated /etc/hosts file (as new VMs get added every now and then), I'd like to set up an internal DNS server. All of my test machines and VMs are running Linux. I have some questions in this regard:

  1. Can I setup the DNS server s.t. I can use a fake domain (say "example.com" since it is reserved) as my domain as known internally in the private network ?
  2. Can I setup the DNS server s.t. the /etc/resolv.conf points to this server to resolve all the machine IP-addresses for hosts in this private / fake domain ? However, for a real / actual existing domain, the DNS server should point-to or fetch resolved IP-address from a cascaded actual DNS server (s.a. a public DNS server) ? The latter is for access to general public internet from the test machines, through a NAT-Proxy.
  3. Could I do something of this nature with say TinyDNS ? I find Bind a bit too intimidating, and perhaps an overkill for my needs ?
bdutta74
  • 163
  • 1
  • 7
  • 1
    Why bother with a fake domain when you can just get a real one? – Michael Hampton Aug 23 '20 at 18:33
  • @MichaelHampton well, I certainly could, but not sure why I should get one. These machines (in the domain) don't need to be reachable from public internet, so I do not see the need for an actual domain. – bdutta74 Aug 23 '20 at 18:41
  • 1
    "why I should get one. " Because then you are guaranteed to never run into collisions. And you solve immediately point 2 as there is no specific configuration involved. Otherwise, look at https://tools.ietf.org/html/draft-arends-private-use-tld-02 and use any "user-reserved" two letter codes in ISO list of countries. – Patrick Mevzek Aug 23 '20 at 19:26
  • 1
    A fake domain will work all right, until someone else will register it, and then it will be a real domain that belongs to someone else. You can use the `test` TLD (see RFC 6761) without worries as it is reserved for this purpose. – Michael Hampton Aug 23 '20 at 22:22
  • Okay, thanks point noted Patrick and Michael. – bdutta74 Aug 24 '20 at 11:24

3 Answers3

4

The short answer is yes and it doesn't matter whether your domain is real or fake. It's just generally a better idea to use something you own (or a sub-domain of something you own) to avoid potential problems in the future. Using a real domain you own also makes it possible to get real (publicly trusted) certificates for names in that domain without needing to stand up an internal PKI.

Just about any DNS software can support what you're trying to do. It will be acting as both an "authoritative" and "recursive" DNS server. It will be authoritative for the example.com (or whatever) zone and recursion is the piece that allows queries it is not authoritative for to get resolved from the internet.

So your clients point to only your DNS server in their resolv.conf. Queries for anything in example.com get resolved using its records. Queries for anything else will have the DNS server reach out to the internet for the answers, (likely) cache them, and return them as "non-authoritative" responses to the client.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • Thanks, that explanation was very helpful in reading up about authoritative and recursive DNS servers. – bdutta74 Aug 24 '20 at 13:18
1

I use dnsmasq for similar purposes. I have it running on a Raspberry Pi. It serves as the local DNS server for my network, so all clients query it. If the domain is not in its local database or cache, it does a query to an Internet DNS server (I ran some tests to see which had the fastest response time and selected those).

With this setup, you can have both real and "fake" domains. For example, when working on a website, I might change the IP address of the real domain to a local work-in-progress address on the dnsmasq server. When I'm done and I want it to access the real website on the Internet, I just remove the setting. (Keep in mind this is a small network that I have complete control over. In a more complicated scenario, you wouldn't want to be changing things back and forth like that).

In dnsmasq, you can do:

address=/myfakedomain.com/10.16.1.20

to redirect queries for myfakedomain.com to the IP address specified. You can even do things like:

address=/plex/10.16.1.55

to enable users to type keywords and access services on the network.

I also use it as my DHCP server, and that's one way I ensure that it is given out as the primary DNS server for the network.

swmcdonnell
  • 121
  • 3
  • This is perhaps just what I needed. Thanks for sharing it. This youtube video dumbed it down further for me: https://www.youtube.com/watch?v=P2kiinwg00c – bdutta74 Aug 24 '20 at 11:43
0

Try to use this solution: https://github.com/mocktools/ruby-dns-mock It's easy to mimic any type of dns record!

Vladislav
  • 1