Split-horizon DNS
   HOME

TheInfoList



Click Here for Items Related To - Split-horizon DNS
OR:
Split-horizon DNS on:   [Wikipedia]   [Google]   [Amazon]

In
computer networking A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ma ...
, split-horizon DNS (also known as split-view DNS, split-brain DNS, or split DNS) is the facility of a
Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to ...
(DNS) implementation to provide different sets of DNS information, usually selected by the source address of the DNS request. This facility can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within an
administrative domain An administrative domain is a service provider holding a security repository permitting to easily authenticate and authorize clients with credentials. This particularly applies to computer network security. This concept is captured by the 'AdminD ...
, e.g., company) and access from an unsecure, public network (e.g. the
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
). Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access to
DNS zone A DNS zone is a specific portion of the DNS namespace in the Domain Name System (DNS), which is managed by a specific organization or administrator. A DNS zone is an administrative space that allows for more granular control of the DNS componen ...
records. The latter is a common feature of many server software implementations of the DNS protocol (cf.
Comparison of DNS server software This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software. Servers compared Each of these DNS servers is an independent implementat ...
) and is sometimes the implied meaning of the term ''split-horizon DNS'', since all other forms of implementation can be achieved with any DNS server software.


Rationale

Split-horizon DNS can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within an
administrative domain An administrative domain is a service provider holding a security repository permitting to easily authenticate and authorize clients with credentials. This particularly applies to computer network security. This concept is captured by the 'AdminD ...
, e.g., company) and access from an unsecure, public network (e.g. the
Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...
). One common use case for split-horizon DNS is when a server has both a private IP address on a local area network (not reachable from most of the Internet) and a public address, i.e. an address reachable across the Internet in general. By using split-horizon DNS the same name can lead to either the private IP address or the public one, depending on which client sends the query. This allows for critical local client machines to access a server directly through the local network, without the need to pass through a router. Passing through fewer network devices improves the network latency. As an example, the DNS server could be configured to return two different sets of records for the host ''host1.example.net'' for requestees internal and external to a corporate network. The internal response could look like: @ IN SOA ns.example.net admin.example.net. ( 2010010101 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS ns ns IN A 203.0.113.2 host1 IN A 10.0.0.10 While the external response would be: @ IN SOA ns.example.net admin.example.net. ( 2010010101 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS ns ns IN A 203.0.113.2 host1 IN A 203.0.113.10


Interaction with DNSSEC

Split-horizon DNS is designed to provide different authoritative answers to an identical query and
DNSSEC The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol ...
is used to ensure veracity of data returned by the Domain Name System. These apparently conflicting goals create the potential for confusion or false security alerts in poorly constructed networks. Research has produced recommendations to properly combine these two DNS features.Split-View DNSSEC Operational Practices
/ref>


Implementations

Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access to
DNS zone A DNS zone is a specific portion of the DNS namespace in the Domain Name System (DNS), which is managed by a specific organization or administrator. A DNS zone is an administrative space that allows for more granular control of the DNS componen ...
records. The latter is a common feature of many server software implementations of the DNS protocol (cf.
Comparison of DNS server software This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software. Servers compared Each of these DNS servers is an independent implementat ...
) and is sometimes the implied meaning of the term ''split-horizon DNS'', since all other forms of implementation can be achieved with any DNS server software.


See also

*
Comparison of DNS server software This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software. Servers compared Each of these DNS servers is an independent implementat ...
*
Split horizon route advertisement In computer networking, split-horizon route advertisement is a method of preventing routing loops in distance-vector routing protocols by prohibiting a router from advertising a route back onto the interface from which it was learned. The concep ...


References

{{reflist


External links


Providing "split horizon" DNS service

BIND 9 Configure Views To Partition External and Internal DNS Information

Providing "split horizon" DNS service on OS X Server systems
(as of OS X Server version 10.6.2)
Detailed How-to on DNS Views on Bind 9
Domain Name System