Split-horizon DNS

In computer networking, split-horizon DNS (djbdns terminology), split-view DNS (BIND terminology), or split-brain DNS (Microsoft terminology) is the facility in domain name service servers that provide access to different sets of DNS information to network clients, selected by, usually, the source address of the DNS request.

This facility can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within an administrative domain, e.g., company) and access from an insecure, public network (e.g. the Internet).

Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access to DNS zone records. The latter is a common feature of many server software implementations of the DNS protocol (cf. Comparison of DNS server software) and is sometimes the implied meaning of the term "split-horizon DNS", since all other forms of implementation can be achieved with any DNS server software.

plit-Horizon and DNSSEC

Split-horizon DNS can give different authoritative answers to the same query, but DNSSEC allows DNS clients to safely accept answers from any source. This gives the potential for conflicting answers to cause confusion or security problems. The [http://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view draft-krishnaswamy-dnsop-dnssec-split-view] internet draft gives an explanation of how to deal with combining these two DNS features.

ee also

* Comparison of DNS server software
* Split horizon networking - a similar concept for network routing