1

Our office subnet is 10.1.10.0/24.

I have a gateway (10.1.10.1) that is forwarding DNS requests to a server running DNSmasq (10.1.10.2). I have an IPsec tunnel to our Parent Company's network (10.2.2.0/24).

In the resolv.conf on 10.1.10.2, I've specified two (2) nameservers, 8.8.8.8 (Google DNS) and 10.2.2.2 (Parent Company DNS).

My issue is that 10.2.2.2 also services another 10.1.10.0/24.
This means that sometimes reverse DNS lookups return hostnames on the foreign 10.1.10.0/24 instead of our internal network. We can see this by using tools like dig or IP scanners. Also, sometimes our OS X bash prompts show the wrong hostname.

So my proposed solution would be to direct all reverse DNS lookups for addresses within 10.1.10.0/24 to 10.1.10.2's internal lookup table, but I don't know how to go about this, or if this is the right solution.

I should note that I have no control over 10.2.2.2.

EDIT: I have found another possible solution. I'll test it out before adding it as an answer. Assuming 10.1.10.1 uses DNSmasq, I can add specify the --bogus-priv option. Since 10.1.10.1 is also our DHCP server, it should return "no such domain" for any reverse DNS queries of hosts within 10.1.10.0/24 that are not within the DHCP leases file.

Josh Cooley
  • 111
  • 4

2 Answers2

0

Try this: set up a DNS server that will serve revs properly (and anything else you want), but will forward the rest to 10.2.2.2. I assume you can change the DNS from 10.2.2.2 to 10.1.10.2 on client machines. If you can't do that, grab the network traffic to 10.2.2.2 on a router and redirect it (except 10.1.10.2 of course). This should work transparently.

Konrad Gajewski
  • 1,518
  • 3
  • 15
  • 29
  • > that will serve revs properly – Josh Cooley May 06 '15 at 20:31
  • "that will serve revs properly" Revs? The clients are sending all DNS traffic to 10.1.10.1 which then forwards to 10.1.10.2. DNS lookups should not be going directly to 10.2.2.2 from the client machines (unless someone has specified it on their machine). I'm not sure I understand what you're suggesting. If I were to redirect DNS traffic destined to 10.2.2.2, to instead go to 10.1.10.2, it might still send it back to 10.2.2.2 since it is a specified resolver. – Josh Cooley May 06 '15 at 20:38
  • Revs - reverse DNS queries. Ok, so now you are forwarding the traffic on the level of IP redirect, is that correct? – Konrad Gajewski May 06 '15 at 21:14
0

Using the dnsmasq --bogus-priv option worked for me. Since 10.1.10.1 is also our DHCP server, it returns "no such domain" for any reverse DNS queries of hosts within 10.1.10.0/24 that are not within the DHCP leases file.

From dnsmasq(8):

-b, --bogus-priv Bogus private reverse lookups. All reverse lookups for private IP ranges (ie 192.168.x.x, etc) which are not found in /etc/hosts or the DHCP leases file are answered with "no such domain" rather than being forwarded upstream.

Josh Cooley
  • 111
  • 4