How to get Split Horizon App to work

[mytlogos]

I wanted to use technitium for giving different responses depending on where the client is.
More concrete:
I currently have a local dns server in my network (192.168.1.0/24) and am using tailscale for accessing my local service when outside of my home.
The dns server is also serving on tailscale.

My problem now is that tailscale clients outside my local network get dns records for my local network instead for tailscale (i COULD use multiple dns server, but it does seem a bit of a waste).

I thought technitium could solve this problem with the split horizon app, but the documentation seems to be "missing", though there is some description in the web ui.

But i just dont understand how i can get this to work, how the config works, what some properties represent and problems /scenarios can the corresponding apps/part of the apps solve.

I did search for the github issues, google, duckduckgo, reddit and whatsoever but still cant get it to work.

Currently the Split Horizon App consists of three classes which all use the same config (in different ways?):

• AddressTranslation
• SimpleAddress
• SimpleCName

AddressTranslation should to be active as soon as the app is installed, as the web ui does not indicate that it requires an app record, contrary to the other two.

The description of AddressTranslation says

Translates IP addresses in DNS response for A & AAAA type request based on the client's network address and the configured 1:1 translation. Also supports reverse (PTR) queries for translated addresses.

So according to the description, the AddressTranslation could be used to translate my local dns entries to tailscale ip addresses.

Thus i fired up the docker compose file from the github repo and then:

1. created a zone "lan"
2. create a "A" dns entry example.lan in said zone with ip 192.168.1.100
3. Installed Split Horizon app from the builtin app store (Version 6.0.4) and created the following json config:

The docker network of the current container is 172.18.0.0/16 with the gateway being 172.18.0.1

{
  "enableAddressTranslation": false,
  "networkGroupMap": {
      "192.168.1.0/24": "local",
      "172.18.0.0/16": "docker"
  },
  "groups": [
    {
        "name": "docker",
        "enabled": true,
        "translateReverseLookups": true,
        "externalToInternalTranslation": {
           "192.168.1.100": "172.18.0.5"
        }
     },
  ]
}

Now i would expect a query from the docker host (nslookup -port=53 example.lan localhost to return 172.18.0.5, but it returns 192.168.1.100 instead.

The logs contain:
[2023-09-03 13:57:39 UTC] [172.18.0.1:32862] [UDP] QNAME: example.lan; QTYPE: A; QCLASS: IN; RCODE: NoError; ANSWER: [192.168.1.100]

Seeing that the client ip (the docker gateway) falls in the docker group network, it should translate the requested ip.

The logs do not contain any info for debugging the apps itself, so i do not know if the config is wrong or the app has a bug or what else.

Any help?

[ShreyasZare]

Thanks for asking. Yes, there is lack of documentation for many features including Split Horizon. There is a blog post planned for it which will explain the various ways Split Horizon can be configured.

In your case, since you have a local primary zone which you need to implement Split Horizon, the DNS app you installed will be needed. The app provides Address Translation feature and you can configure a list of addresses to be automatically translated when serving the query response. In your config, the enableAddressTranslation seems to be set to false which is why the translation is not working. Just enable it and it should work.

You can also use an APP record in your zone instead of address translation. The APP record with class set to SimpleAddress will allow you to configure the network address and its corresponding IP address to respond. The APP record approach provides granular control.

Let me know if you were able to get it to work.

[mytlogos]

Arggh, yes that was it...

Thanks for your help

[mytlogos]

I dont understand what exactly the SimpleAddress and SimpleCNAME is doing (and how the APP records do their things there), i would need an example

[ShreyasZare]

Address Translation feature does bulk IP translation automatically which is useful for some scenarios. Whereas, the APP record approach allows you to have a record in your primary zone and will work with a secondary zone too unlike address translation where you would need to copy the config to the secondary server.

The SimpleAddress class will respond with an A record when queried while the SimpleCNAME will respond with a CNAME, so you got to use it as per the requirement for A/CNAME response. Both the APP record classes support public and private keywords to identify networks. You can also define a custom network and use it by name or directly use the network address. For SimpleAddress you can add one or more IP addresses in the array as the response.

When the APP record received a query, it will respond to it based on the client's IP address based on the JSON config you have for that APP record. See this example of APP record that I am using for my zone:

When you query for pi1.home.zare.im from the Internet, you will get a CNAME for public.home.zare.im which resolves to the public IP address. Whereas when I try to resolve it from my local network, I get CNAME for pi1.home which resolves to local IP address.

Try adding a test APP record and you will see a JSON template for it which you can edit as per your needs. Then query for the record from the network you have configured to confirm the response.