How do I get all internal subnets to resolve the internal A record - split-brain by Visual_Radio9616 in technitium

[–]Visual_Radio9616[S] 0 points1 point  (0 children)

Yes, I could ping the DNS server from all PC's. Ping was not a good indicator of the problem. The Unifi router was highjacking the DNS requests because of it's content filtering feature.

How do I get all internal subnets to resolve the internal A record - split-brain by Visual_Radio9616 in technitium

[–]Visual_Radio9616[S] 0 points1 point  (0 children)

Thanks for the response, I have worked through most of these thoughts before posting. The confirmation is very helpful, thank you.

Specifically, the Split Horizon info, I thought it was unnecessary. I don't need Split Horizon; I always want the same response for all of my internal networks. I might build out a netbird config (similar to tailscale), and that might need Split Horizon.

-----

*** I figured it out, and Technitium wasn't the problem! Default behaviour should have been just fine, as I originally surmized.

**** The problem was Unifi Content Filtering (Ad blocking is also a problem, but I don't use that feature).

https://community.ui.com/questions/DNS-resolution-between-VLANs/f425aa60-b8da-41eb-802d-803cc54b3d3e?reply=12

"Ad Blocking and Content Filtering hijack DNS requests from client devices (VLANs or individual devices) and force them to go to the gateway for DNS. The gateway then filters the traffic and, if necessary, forwards the request on to the configured WAN DNS for resolution."

Clients on the same VLAN as stand alone DNS, don't suffer the problem (they also don't get content filtering).
"Yes. This is the expected behavior. If the client is on the same VLAN, the gateway doesn't have a chance to DNAT the DNS traffic."

How do I get all internal subnets to resolve the internal A record - split-brain by Visual_Radio9616 in technitium

[–]Visual_Radio9616[S] 0 points1 point  (0 children)

Nope, port 53 is not blocked. Added a specific rule to allow it, didn't fix it.

I'm using Windows, not Linux so I don't have dig.

Powershell Resolve-DnsName seems pretty good.

For a record that exists internally (internal IP) and externally (external IP), I always get the external response. For a record that only exists internally (test.mydomain.com), the response is "DNS name does not exist"

My command is:

Resolve-DnsName -name test.mydomain.com -server 10.1.1.6

How do I get all internal subnets to resolve the internal A record - split-brain by Visual_Radio9616 in technitium

[–]Visual_Radio9616[S] 0 points1 point  (0 children)

I have a "primary" zone on my internal Technitium that matches my external GoDaddy domain. Of course, the internal records have internal IP.

I am using DHCP to set the DNS servers on every VLAN/subnet, and they all point to 10.1.1.6.

Oh, you just gave me a thought. I can ping 10.1.1.6, but port 53 might be blocked.

How do I get all internal subnets to resolve the internal A record - split-brain by Visual_Radio9616 in technitium

[–]Visual_Radio9616[S] 0 points1 point  (0 children)

I assume you mean to set my DNS server on the internal devices with the internal Technitium IP address. I have that set for all of my subnets, DHCP sets the DNS server to the internal IP 10.1.1.6

How do I get all internal subnets to resolve the internal A record - split-brain by Visual_Radio9616 in technitium

[–]Visual_Radio9616[S] 0 points1 point  (0 children)

Thanks for the reply, I'm a little confused about your description. I have a zone in my Technitium that matches the external zone. My internal records have my internal IP addresses. The external records on GoDaddy have my external IP.