In computer networking, split-horizon DNS (also known as split-view DNS, split-brain DNS, or split DNS) is the facility of a Domain Name System (DNS) implementation to provide different sets of DNS information, usually selected by the source address of the DNS request.

This facility can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within an administrative domain, e.g., company) and access from an unsecure, public network (e.g. the Internet).

Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access to DNS zone records. The latter is a common feature of many server software implementations of the DNS protocol (cf. Comparison of DNS server software) and is sometimes the implied meaning of the term split-horizon DNS, since all other forms of implementation can be achieved with any DNS server software.

Split-horizon DNS can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within an administrative domain, e.g., company) and access from an unsecure, public network (e.g. the Internet).

One common use case for split-horizon DNS is when a server has both a private IP address on a local area network (not reachable from most of the Internet) and a public address, i.e. an address reachable across the Internet in general. By using split-horizon DNS the same name can lead to either the private IP address or the public one, depending on which client sends the query. This allows for critical local client machines to access a server directly through the local network, without the need to pass through a router. Passing through fewer network devices improves the network latency.

As an example, the DNS server could be configured to return two different sets of records for the host host1.example.net for requestees internal and external to a corporate network. The internal response could look like:

@       IN SOA  ns.example.net admin.example.net. (
                                2010010101      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       IN      NS              ns
ns      IN      A               203.0.113.2
host1   IN      A               10.0.0.10

While the external response would be:

@       IN SOA  ns.example.net admin.example.net. (
                                2010010101      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@       IN      NS              ns
ns      IN      A               203.0.113.2
host1   IN      A               203.0.113.10

Split-horizon DNS is designed to provide different authoritative answers to an identical query and DNSSEC is used to ensure veracity of data returned by the Domain Name System. These apparently conflicting goals create the potential for confusion or false security alerts in poorly constructed networks. Research has produced recommendations to properly combine these two DNS features. [1]

Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access to DNS zone records. The latter is a common feature of many server software implementations of the DNS protocol (cf. Comparison of DNS server software) and is sometimes the implied meaning of the term split-horizon DNS, since all other forms of implementation can be achieved with any DNS server software.

• Comparison of DNS server software
• Split horizon route advertisement

[1] Split-View DNSSEC Operational Practices

• Providing "split horizon" DNS service
• BIND 9 Configure Views To Partition External and Internal DNS Information
• Providing "split horizon" DNS service on OS X Server systems (as of OS X Server version 10.6.2)
• Detailed How-to on DNS Views on Bind 9

Category:Domain Name System

[1] Split-View DNSSEC Operational Practices

This page uses material from the Wikipedia article "Split-horizon DNS", which is released under the Creative Commons Attribution-Share-Alike License 3.0.

Last updated: 2022-12-02. View the most recent edits on Wikipedia.