BUG: V4.28.0 Breaks Split Horizon DNS Configuration
This article discusses a bug encountered in the v4.28.0 pre-release of dnscontrol that affects the Split Horizon DNS feature. The issue results in a "duplicate domain name" error, preventing the successful configuration of split horizon DNS setups.
Understanding Split Horizon DNS and the Bug
Split Horizon DNS, a powerful technique for providing different DNS records to internal and external networks, is a key feature for many organizations. With split horizon DNS, you can direct internal users to internal resources while external users are directed to public-facing services. This approach enhances security and optimizes network performance. However, the v4.28.0 pre-release of dnscontrol introduces a bug that disrupts this functionality, causing a "duplicate domain name" error when attempting to configure split horizon DNS. This error effectively blocks the creation of distinct DNS zones for internal and external use, hindering the implementation of split horizon setups.
When using dnscontrol v4.28.0 with Split Horizon DNS, a "duplicate domain name" error arises, which stops the creation of different zones, which is essential for directing internal traffic to internal resources and external traffic to external resources. The Split Horizon DNS feature is very important because it enhances network security and performance by tailoring DNS responses based on the requester's location. The error in v4.28.0 prevents users from leveraging this feature effectively. To solve this issue, it is important to report the bug, downgrade to a stable version, or apply a workaround until a fix is officially released.
Steps to Reproduce the Behavior
To reproduce this issue, follow these steps:
-
Set up your
dnsconfig.jsfile: Start by creating adnsconfig.jsfile based on the Split Horizon DNS example code. For easier replication, configure both providers tobind, although the issue seems to impact all providers tested.var REG_NONE = NewRegistrar("none"); var DNS_INSIDE = NewDnsProvider("bind"); var DNS_OUTSIDE = NewDnsProvider("bind"); D("example.com!inside", REG_NONE, DnsProvider(DNS_INSIDE), NAMESERVER("ns1.example.com."), A("www", "10.10.10.10"), ); D("example.com!outside", REG_NONE, DnsProvider(DNS_OUTSIDE), NAMESERVER("ns2.example.com."), A("www", "20.20.20.20"), ); -
Run
dnscontrol preview: Execute the commanddnscontrol previewin your terminal.
Expected Behavior
Ideally, the dnscontrol preview command should generate two distinct zones without errors. Here's what the expected output should look like:
******************** Domain: example.com
3 corrections (bind)
#1: + CREATE example.com SOA DEFAULT_NOT_SET. DEFAULT_NOT_SET. 3600 600 604800 1440 ttl=300
+ CREATE example.com NS ns1.example.com. ttl=300
+ CREATE www.example.com A 10.10.10.10 ttl=300
******************** Domain: example.com
3 corrections (bind)
#1: + CREATE example.com SOA DEFAULT_NOT_SET. DEFAULT_NOT_SET. 3600 600 604800 1440 ttl=300
+ CREATE example.com NS ns2.example.com. ttl=300
+ CREATE www.example.com A 20.20.20.20 ttl=300
Done. 6 corrections.
This output indicates that dnscontrol correctly identifies and prepares to create two separate zones for example.com, one for the internal network and one for the external network. Each zone has its own nameserver and A record, ensuring that internal and external users receive the appropriate DNS responses.
Actual Behavior
Instead of the expected behavior, the dnscontrol preview command produces the following error:
2025/12/04 23:58:08 1 Validation errors:
2025/12/04 23:58:08 ERROR: duplicate domain name: "example.com"
exiting due to validation errors
This error message indicates that dnscontrol incorrectly identifies the two zones as duplicates, preventing the configuration from proceeding. This issue arises because the tool fails to distinguish between the internal and external zones defined using the Split Horizon DNS feature.
The "duplicate domain name" error in dnscontrol v4.28.0 breaks the Split Horizon DNS configuration, which is essential for directing internal and external traffic appropriately. This error occurs because the system does not differentiate between internal and external zones, leading to a validation failure. To resolve this, users may need to revert to a previous version or find a workaround until the bug is fixed in a future release. Properly configured Split Horizon DNS enhances network security and optimizes performance, making this bug a significant issue for users relying on this feature.
Additional Details
Further investigation using bisecting history reveals that the bug was introduced with commit 703084160fc722ebff56572fa11edd05788df592 by @tlimoncelli. Additional isolation of the issue can be performed if needed.
The introduction of this bug has a direct impact on users who rely on the Split Horizon DNS feature for managing their internal and external DNS configurations. The error prevents them from creating separate zones, which is crucial for directing internal traffic to internal resources and external traffic to public-facing services. This disruption can lead to misconfigured DNS settings, potentially causing access issues and security vulnerabilities.
Identifying the Root Cause: To fully understand the root cause, a deeper dive into the changes introduced by commit 703084160fc722ebff56572fa11edd05788df592 is necessary. This involves examining the code modifications made in that commit and identifying how they interfere with the logic that distinguishes between internal and external DNS zones in the Split Horizon DNS configuration. Understanding the specific code changes that triggered this bug will help in developing a targeted fix.
Impact on Users: This bug significantly impacts users who depend on Split Horizon DNS for their network configurations. Split Horizon DNS is essential for creating different DNS views for internal and external networks, enhancing security and optimizing traffic flow. The "duplicate domain name" error prevents users from properly configuring these separate views, potentially leading to internal resources being exposed externally or external resources being inaccessible internally. Resolving this bug is crucial for maintaining the integrity and security of affected networks.
Possible Workarounds and Solutions
While waiting for an official fix, consider these workarounds:
- Downgrade dnscontrol: Reverting to a previous version of dnscontrol (e.g., v4.27.0) where Split Horizon DNS functions correctly can temporarily resolve the issue.
- Implement Conditional DNS Forwarding: Configure your internal DNS server to forward requests for the affected domain to a different DNS server based on the source IP address.
Exploring Alternative DNS Configurations: While workarounds can mitigate the immediate impact of the bug, it's also wise to explore alternative DNS configurations that might reduce reliance on Split Horizon DNS, at least temporarily. For example, using views in BIND or similar features in other DNS servers could offer a different approach to managing internal and external DNS zones. However, these alternatives may require significant changes to your existing DNS infrastructure and should be carefully evaluated before implementation.
Staying Informed on Bug Fixes: To ensure you're promptly notified when a fix is released, subscribe to the dnscontrol release announcements and monitor the project's issue tracker. This will allow you to stay up-to-date on the status of the bug and any recommended solutions or patches. Timely updates are essential for maintaining a secure and well-functioning DNS infrastructure.
Conclusion
The bug in dnscontrol v4.28.0 that breaks Split Horizon DNS is a significant issue for users relying on this feature. By understanding the steps to reproduce the bug, its expected and actual behavior, and potential workarounds, users can mitigate its impact while awaiting an official fix. This article provides valuable insights and practical guidance for navigating this issue and maintaining a robust DNS infrastructure.
For more information about DNS, visit ICANN.
