Jump to content

Split-horizon DNS

From Wikipedia, the free encyclopedia

Incomputer networking,split-horizon DNS(also known assplit-view DNS,split-brain DNS,orsplit DNS) is the facility of aDomain Name System(DNS) implementation to provide different sets of DNS information, usually selected by the source address of the DNS request.

This facility can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within anadministrative domain,e.g., company) and access from an unsecure, public network (e.g. theInternet).

Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access toDNS zonerecords. The latter is a common feature of many server software implementations of the DNS protocol (cf.Comparison of DNS server software) and is sometimes the implied meaning of the termsplit-horizon DNS,since all other forms of implementation can be achieved with any DNS server software.

Rationale

[edit]

Split-horizon DNS can provide a mechanism for security and privacy management by logical or physical separation of DNS information for network-internal access (within anadministrative domain,e.g., company) and access from an unsecure, public network (e.g. theInternet).

One common use case for split-horizon DNS is when a server has both a private IP address on a local area network (not reachable from most of the Internet) and a public address, i.e. an address reachable across the Internet in general. By using split-horizon DNS the same name can lead to either the private IP address or the public one, depending on which client sends the query. This allows for critical local client machines to access a server directly through the local network, without the need to pass through a router. Passing through fewer network devices improves the network latency.

As an example, the DNS server could be configured to return two different sets of records for the hosthost1.example.netfor requestees internal and external to a corporate network. The internal response could look like: 

@ IN SOA ns.example.net admin.example.net. (
2010010101;serial
1D;refresh
1H;retry
1W;expire
3H );minimum
@ IN NS ns
ns IN A 203.0.113.2
host1 IN A 10.0.0.10

While the external response would be: 

@ IN SOA ns.example.net admin.example.net. (
2010010101;serial
1D;refresh
1H;retry
1W;expire
3H );minimum
@ IN NS ns
ns IN A 203.0.113.2
host1 IN A 203.0.113.10

Interaction with DNSSEC

[edit]

Split-horizon DNS is designed to provide different authoritative answers to an identical query andDNSSECis used to ensure veracity of data returned by the Domain Name System. These apparently conflicting goals create the potential for confusion or false security alerts in poorly constructed networks. Research has produced recommendations to properly combine these two DNS features.[1]

Implementations

[edit]

Implementation of split-horizon DNS can be accomplished with hardware-based separation or by software solutions. Hardware-based implementations run distinct DNS server devices for the desired access granularity within the networks involved. Software solutions use either multiple DNS server processes on the same hardware or special server software with the built-in capability of discriminating access toDNS zonerecords. The latter is a common feature of many server software implementations of the DNS protocol (cf.Comparison of DNS server software) and is sometimes the implied meaning of the termsplit-horizon DNS,since all other forms of implementation can be achieved with any DNS server software.

See also

[edit]

References

[edit]
  1. ^Split-View DNSSEC Operational Practices
[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=Split-horizon_DNS&oldid=1225522643"