Hey everyone, I've been struggling with a tricky DNS setup for an IT school's internal sandbox for students. They own the domain "schoolname-lab.fr" and need to access various tools both from the public IP and internally. For example, git.schoolname-lab.fr should point to 100.100.100.100 from outside and 172.16.1.1 when connected to the internal network or VPN. While my configuration works when I modify the /etc/hosts file, the internal DNS server (Bind running on 172.31.30.254) fails to return the internal IP when queried. The setup includes:
- Bought domain from OVH with external DNS.
- Internal DNS set as primary for WiFi/LAN.
- Success when querying directly on the Bind server using dig, but incorrect responses when querying from other machines in the network.
- Wireshark confirms that queries are sent to the internal DNS, but the responses are wrong and not logged.
I also found some configuration snippets in my named.conf.local and named.conf.options files. I'm considering alternatives to Bind if needed. Can anyone point me in the right direction? Thanks!
3 Answers
It could be that your school's network is using some transparent DNS filtering or proxying. Check if there are any filtering rules or a middle-man DNS running that is affecting your queries. The fact that you're not seeing your expected queries logged is a strong hint.
Sounds like you might have another DNS service running on the internal server that could be interfering. You can check by running `ss -lunp | grep 53`. If it's showing multiple processes, that could explain the unexpected behavior. Make sure that Bind is the only service handling DNS queries on 172.31.30.254 and not restricted to just 127.0.0.1.
I ran your config through an AI tool, and it suggested removing or commenting out the line `response-policy { zone "schoolname-lab.fr"; };`. You might want to try that and see if it resolves your issue!
I tried removing it, but unfortunately, the problem persists.
I did check, and it looks like Bind is indeed listening on 172.31.30.254:53. However, I can still get the correct response from the server itself, just not from other machines.