0

Server-side split-horizon DNS?

I have a small set of requirements which I'm having trouble figuring out how to implement, or if it is even possible.

The requirements are:

  1. Mobile clients (phones, laptops & tablets) always use NextDNS, even when connected to a network I don't control like 4G or some external wifi.
  2. When clients are connected to a network I control, they should resolve some internal hosts (e.g. someservice.mycompany.com) to their direct internal IP rather than the public IP that allows access over the internet.

Individually, each requirement is easy to satisfy, but I can't figure out how to solve them together.

To solve the first requirement I simply configure the device to directly use my NextDNS profile as its resolver, but this then means any DNS config I make for my own network such as Split Horizon or Conditional Profiles doesn't work because it is not using the local resolvers.

The only ways I can think of to have this work would be either

  1. If NextDNS supports some sort of source IP-based selection of which profile to use so I can set some custom Rewrites in my LAN profile or use the public IPs in the WAN profile
  2. If NextDNS supports some sort of source IP-based conditions for applying Rewrites so that the rewrite to override my internal sites to internal IPs only applies if the source IP is 1 of my networks
  3. If I can get some sort of script to run on each device that manually switches profiles when they join 1 of my LAN networks. Given some devices are Android & iOS I don't think that will be possible though.

6 replies

null
    • NextDNs
    • 3 wk ago
    • Reported - view
    • bky
    • 3 wk ago
    • Reported - view

    Thanks, I've already had a look at that and reference it in my question. The problem I'm having with it is that I can't figure out how to get it to work alongside having my mobile devices always use NextDNS even when not on my LAN. If I configure my devices to directly use DoH/DoT in their OS/browser config then they don't seem to use the local NextDNS CLI resolver on my LAN

      • NextDNs
      • 3 wk ago
      • Reported - view

       exclude the SSID of your WiFi network on your mobile devices.

      • bky
      • 3 wk ago
      • Reported - view

      I don't think this is an option on Android, Windows, Chrome, etc. I just did a bit of looking around and it seems doing this requires quite a lot of custom and advanced work, such as for Android, installing a 3rd party app, putting the device into Developer mode and running some debug commands on it (see https://florianjensen.com/2024/06/24/disabling-android-private-dns-on-specific-wifi-network/).

      I happened to stumble upon https://help.nextdns.io/t/y4h4rrx/use-router-dns-when-at-home-nextdns-otherwise (which I didn't find during my initial research) while looking into this and that is the same requirement I have and also has no solution provided.

      • NextDNs
      • 3 wk ago
      • Reported - view

      Our app on Windows supports SSID exclusion through its MSI installation (YogaDNS supports this as well, if I recall correctly). iOS and macOS provide native support for this feature. Unfortunately, Android remains the only platform with quite limited support for encrypted DNS.

      • bky
      • 3 wk ago
      • Reported - view

       Thanks. I didn't realise there was a Windows app so I'll give that a try, but unfortunately, most of the mobile devices I'm interested in are Android.

      I've thought up another way that I might be able to get this to work, by running a transparent proxy on my gateway and then rerouting traffic to my internal sites based on SNI to their internal destinations. It seems like a lot of overhead to proxy all traffic for fixing the routing of a tiny fraction of it, but should work in theory.

Content aside

  • 3 wk agoLast active
  • 6Replies
  • 62Views
  • 2 Following