So I maintain a (small) network with two physical sites, both of which have dynamic IPs on their outside (internet facing) interfaces. Both sites have their own DNS server running on the system that connects them to the internet which is configured to only allow queries from inside that site’s LAN. Those sites are configured as slaves to each other, and are connected to each other via a site-to-site VPN. Zone transfers are only allowed over the VPN; if the VPN goes down, the sites cannot transfer and nameservice stops working for the remote site (which is fine, as none of those addresses are reachable without the VPN anyway).
The following information isn’t using the actual names from my network but the hierarchical information is the same. I don’t really want to put my actual hostnames and domain all over reddit.
For the longest time I used Dyn for dynamic DNS. Each site was configured with an external name (“gatewaya.dnsalias.com” and “gatewayb.dnsalias.com”) and the zones for each side were configured as “a.site” and “b.site” (so the internal name for “gatewaya.dnsalias.com” was “gatewaya.a.site” and likewise with “gatewayb.dnsalias.com” being “gatewayb.b.site” internally).
This meant that from either side “gatewaya.dnsalias.com” always pointed at the external address and “gatewaya.a.site” always pointed at the internal address.
Because of Dyn’s pricing changes (and the otherwise unsuitability of every other dynamic DNS provider I looked into), I ended up getting my own domain instead through Google Domains, that provides dynamic DNS for that domain. So far so good, I configured the dynamic DNS so that the external names are now “gatewaya.mydomain.net” and “gatewayb.mydomain.net”, and that all worked fine.
The problem arose when I wanted to use split DNS to use my new domain internally. I changed all of site A’s machines to now be named “machine.mydomain.net” and changed my BIND server to be the master for the “mydomain.net” zone. This works fine for site A; all of the local machines resolve fine and “gatewaya.mydomain.net” now resolves to the internal address.
The problem is that machines on site A can no longer resolve “gatewayb.mydomain.net”; because the local DNS server is the master for that zone, and it doesn’t know what the address it, it just returns SERVFAIL. And because “gatewayb.mydomain.net” is actually a dynamic address, I can’t just put an entry in the master zone file.
Is there any way to configure BIND so that it is authoritative for every host in “mydomain.net” except for “gatewayb”? I see a lot of help on the internet for overriding a single hostname locally, but no help for what I’m trying to do. Setting up a zone for each hostname isn’t feasible, I have about 50 hosts at one site and about 20 at the other.
Is there any other way to do this other than splitting the two sites into subdomains (such as “machine.sitea.mydomain.net” and “machine.siteb.mydomain.net”)?