I've been using split-horizon DNS for years…and I've hated every minute of it. I hate having to maintain 2 sets of DNS records that refer to the same damn resource. It is my personal definition of “pain in the ass”. Recently, I started working with the Unbound resolver, and more specifically, the Python scripting module implementation it has. I was playing around with this for a project at work and it occurred to me while I was doing that, here is my answer to the plague that is split-horizon DNS.

I took it upon myself to write a nice little module that allows you to map external A records to internal IPs. This allows you to set up your external DNS names for “www.example.com” that point to 1.2.3.4, but is actually the web server on your internal network at 192.168.1.100.

The goal here is to walk you through setting up ub-split-map with a basic Unbound configuration to let you have a modern, fast internal resolver that transparently maps your external to internal addresses.

I'm not going to go into a lot of detail here; I assume anyone who has made it this far has some basic *nix technical knowhow and can do things like install necessary packages, etc.

I'm not going to say a lot here, but make sure you have Unbound installed with the Python module. You'll want to do one of the following:

sudo apt-get install unbound python-unbound
sudo yum install unbound unbound-python
USE=python emerge unbound
./configure --with-pythonmodule

That's it for now, we'll come back to configuration of unbound in a bit.

There's a lot of ways to do this as well. You can download the source from github, clone the git repository from github or use easy_install or pip to install it.

I'm going to assume you know how to download and unzip file. Once you have the ub-split-map-x.x.x dir. Do the standard Python install routine:

cd ub-split-map-x.x.x
sudo python setup.py install

This is pretty simple if you either have easy_install or pip installed.

sudo pip install ub-split-map
# OR
sudo easy_install ub-split-map

This is going to take a little bit of “file finding” in order to get set up depending on how you installed ub-split-map and how your system is configured, etc., but it's not too difficult. You should find ub-split-map.ini.default in an etc dir. This might be /etc, /usr/etc or /usr/local/etc, but it's there. Once you find that, move it to your /path/to/etc/unbound and rename it to ub-split-map.ini. For the purposes of this document, I'll assume your unbound config dir is /etc/unbound.

Opening up the file, you'll see a few sections. There is more info in the default ini file, but I'm going to go over the simplest, default config here.

You should see a [maps] section in the file. All you have to do is add your IP address maps here. For this example, we'll say you have some static IPs and that 2 of them are 55.55.55.54 and 55.55.55.55 and these map to 2 different servers on your internal network at 192.168.0.54 and 192.168.0.55 respectively. All you have to add to your config file under [maps] is the following:

55.55.55.54 = 192.168.0.54
55.55.55.55 = 192.168.0.55

That's it, you're done configuring your ub-split-map.

I'm not going to go into a full unbound configuration here, but instead I'll give you something very basic to get you up and running. There are a plethora of options for Unbound and I'd suggest reading through its docs for the full lowdown.

What I'm going to cover is, obviously, wiring up ub-split-map and configuring an internal for any additional internal devices that don't map to the outside world.

IMPORTANT: Many installs of Unbound will set up a chroot environment by default. This is by no means a bad idea, but I'm going to have you turn this off below as there are different challenges in running anything in a chroot that is beyond the scope of this document.

First, we'll add the couple of lines needed to get ub-split-map working.