Split-horizon DNS
Encyclopedia
In computer networking, split-horizon DNS, split-view DNS, or split-brain DNS is the facility of a Domain Name System
(DNS) implementation to provide different sets of DNS information, selected by, usually, the source address of the DNS request.
This facility can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within an administrative domain
, e.g., company) and access from an insecure, public network (e.g. the Internet
).
Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access to DNS zone
records. The latter is a common feature of many server software implementations of the DNS protocol (cf. Comparison of DNS server software
) and is sometimes the implied meaning of the term split-horizon DNS, since all other forms of implementation can be achieved with any DNS server software.
is used to ensure verity of data returned by the Domain Name System. These apparently conflicting goals create the potential for confusion or false security alerts in poorly constructed networks. Research has produced recommendations to properly combine these two DNS features.
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
(DNS) implementation to provide different sets of DNS information, selected by, usually, the source address of the DNS request.
This facility can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within an administrative domain
Administrative domain
-Definition:An administrative domain is a service provider holding a security repository permitting to easily authenticate and authorize clients with credentials.This particularly applies to computer network security....
, e.g., company) and access from an insecure, public network (e.g. the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
).
Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access to DNS zone
DNS zone
A DNS zone is a portion of the global Domain Name System namespace for which administrative responsibility has been delegated.-Definition:...
records. The latter is a common feature of many server software implementations of the DNS protocol (cf. Comparison of DNS server software
Comparison of DNS server software
This article presents a comparison of the features, platform support, and packaging of independent implementations of Domain Name System name server software.- Servers compared :...
) and is sometimes the implied meaning of the term split-horizon DNS, since all other forms of implementation can be achieved with any DNS server software.
Split-Horizon DNS and DNSSEC
Split-horizon DNS is designed to provide different authoritative answers to an identical query and DNSSECDNSSEC
The Domain Name System Security Extensions is a suite of Internet Engineering Task Force specifications for securing certain kinds of information provided by the Domain Name System as used on Internet Protocol networks...
is used to ensure verity of data returned by the Domain Name System. These apparently conflicting goals create the potential for confusion or false security alerts in poorly constructed networks. Research has produced recommendations to properly combine these two DNS features.
See also
- Comparison of DNS server softwareComparison of DNS server softwareThis article presents a comparison of the features, platform support, and packaging of independent implementations of Domain Name System name server software.- Servers compared :...
- Split horizon route advertisement
- GeoIP