Give us a call: (800) 252-6164

Split-Horizon DNS In 2024 – When Should You Use It?

March 29, 2023 | By David Selden-Treiman | Filed in: DNS.

The TL-DR

Split Horizon DNS is very useful for many situations where you need to separate visitors based on location. It’s usually used for internal vs external networks, but can also be used to separate using geographic location.

Introduction to Split-Horizon DNS

As a DNS administrator, you may have encountered situations where you needed to provide different DNS information to internal and external clients. Split-Horizon DNS is a technique designed to address this need.

In a Split-Horizon DNS setup, you maintain separate DNS servers or views for your internal and external clients. This allows you to present different DNS information to clients based on their location or network access, enhancing security and network performance.

Split-Horizon DNS is an alternative to more simple DNS configurations. In traditional setups, a single DNS server or zone is used to serve both internal and external clients. By implementing a Split-Horizon DNS setup, you can separate your internal and external DNS records, limiting exposure of sensitive information and providing additional security for your organization’s network.

In this article, we will explore whether or not Split-Horizon DNS is right for you by examining the components, advantages, use cases, and best practices for implementing Split-Horizon DNS.

Components of Split-Horizon DNS

To implement a Split-Horizon DNS setup, you’ll need to understand the two main components involved: internal DNS servers and external DNS servers.

Internal DNS Server

The internal DNS server serves clients within your organization’s network. Its primary purpose is to provide DNS records for internal resources, such as intranet websites, internal mail servers, or other private services.

These records should only be accessible to your internal clients, as exposing them to the outside world may pose a security risk. In most cases, the internal DNS server will store records like A, AAAA, CNAME, MX, and SRV records, but only for internal resources.

External DNS Server

The external DNS server, on the other hand, serves clients outside your organization’s network. It provides DNS records for publicly accessible resources, like your company’s website or public-facing email servers.

The external DNS server should not store or provide any information about your internal resources, ensuring that sensitive data remains secure. Similarly to the internal DNS server, the external DNS server will store records like A, AAAA, CNAME, MX, and SRV records, but only for externally accessible resources.

DNS Views

In some cases, you may prefer to use a single DNS server with DNS views to achieve a Split-Horizon DNS setup. DNS views allow you to create separate configurations within a single DNS server. This will present different information to clients based on criteria like their IP address or network access.

BIND, a widely-used DNS server software (that we use here at Potent Pages), supports the use of views, making it a popular choice for implementing Split-Horizon DNS. With DNS views, you can manage your internal and external DNS records within a single DNS server, streamlining the management process while still maintaining the benefits of a Split-Horizon DNS configuration.

To implement DNS views in BIND, you’ll need to define the “match-clients” and “match-destinations” options within your named.conf file. These options allow you to specify which clients or destination IP addresses should receive which view. Typically, you’ll create an “internal” view for your internal clients and an “external” view for your external clients, each containing the appropriate zone files and DNS records.

Setting Up Split-Horizon DNS

Implementing a Split-Horizon DNS configuration requires a solid understanding of DNS fundamentals and some specific configuration steps. We will assume you already have BIND installed on your server. If not,

sudo apt install bind

will get you started if you’re using an Ubuntu server.

Configuration Steps

To set up Split-Horizon DNS, follow these essential configuration steps:

Defining internal and external zones

Create separate zone files for your internal and external DNS records. For example, you might have a zone file for your internal domain (e.g., “internal.example.com”) and another for your external domain (e.g., “example.com”). This separation ensures that only the appropriate records are accessible to internal and external clients.

Configuring DNS views

f you’re using a single DNS server with DNS views, such as BIND, configure your views to serve the correct zone files to the appropriate clients. You’ll need to define “match-clients” and “match-destinations” options in your server’s configuration file, specifying which clients or destination IP addresses should receive which view. This configuration will typically involve creating an “internal” view for your internal clients and an “external” view for your external clients.

Sample Match-Clients Configuration

Here’s an example BIND named.conf file configuration for an external and internal network based on an match-clients setup:

acl internal-networks {
    192.168.1.0/24;
    10.0.0.0/8;
};

acl external-networks {
    !192.168.1.0/24;
    !10.0.0.0/8;
    any;
};

view "internal" {
    match-clients { internal-networks; };
    recursion yes;
    additional-from-auth yes;
    additional-from-cache yes;

    zone "example.com" {
        type master;
        file "/etc/bind/zones/db.example.com.internal";
    };

    // Include other internal zones
};

view "external" {
    match-clients { external-networks; };
    recursion no;

    zone "example.com" {
        type master;
        file "/etc/bind/zones/db.example.com.external";
    };

    // Include other external zones
};

In this example, we define two ACLs (internal-networks and external-networks) to specify the IP address ranges for internal and external clients. We then create two views, “internal” and “external”, and use the match-clients directive to associate each view with the appropriate ACL. The “internal” view serves the “db.example.com.internal” zone file, while the “external” view serves the “db.example.com.external” zone file.

Sample Match-Destinations Configuration

In a BIND configuration, the match-destinations option is not commonly used for implementing Split-Horizon DNS. Instead, the match-clients option is typically used to match source IP addresses of the clients, as shown in the previous example.

However, if you want to use match-destinations to configure Split-Horizon DNS based on the destination IP address of the queries, you can follow the example below. In this example, we assume that your DNS server has two IP addresses: one for internal clients and one for external clients.

acl internal-networks {
    192.168.1.0/24;
    10.0.0.0/8;
};

acl external-networks {
    any;
};

view "internal" {
    match-destinations { 192.168.1.2; }; // DNS server's internal IP address
    match-clients { internal-networks; };
    recursion yes;
    additional-from-auth yes;
    additional-from-cache yes;

    zone "example.com" {
        type master;
        file "/etc/bind/zones/db.example.com.internal";
    };

    // Include other internal zones
};

view "external" {
    match-destinations { 203.0.113.2; }; // DNS server's external IP address
    match-clients { external-networks; };
    recursion no;
    
    zone "example.com" {
        type master;
        file "/etc/bind/zones/db.example.com.external";
    };
};

In this example, we define two ACLs (`internal-networks` and `external-networks`) to specify the IP address ranges for internal and external clients. We then create two views, “internal” and “external”, and use the `match-destinations` directive to associate each view with the appropriate destination IP address of the queries.

The “internal” view serves the “db.example.com.internal” zone file, while the “external” view serves the “db.example.com.external” zone file.

Please note that using `match-destinations` in this manner can lead to potential issues if your DNS server has multiple IP addresses or if the IP addresses change. It is generally recommended to use `match-clients` for implementing Split-Horizon DNS configurations.

Testing and Validating the Configuration

Once you have completed the configuration, it’s essential to test and validate the setup:

Verifying Zone Files

Check your zone files for any syntax errors or incorrect records. Tools like named-checkzone can help you with this task. The command

named-checkconf /etc/named.conf

should return nothing (e.g. no errors).

Using Tools Like dig and nslookup

Perform DNS queries using command-line tools such as dig and nslookup to ensure that your internal and external clients receive the correct DNS records. Test from both your internal and external networks to confirm that the Split-Horizon DNS configuration is working as expected. Running a command like

dig -t A example.com

from your internal zone should give your your internal IP address for your domain, and running this command from an external IP address should give the public IP address.

Troubleshooting Common Issues

If you encounter any issues during the setup or testing process, consider these common problem areas:

DNS Propagation Delays

Keep in mind that DNS record changes can take time to propagate. Allow sufficient time for changes to take effect before testing or troubleshooting.

Incorrectly Configured DNS Views

Double-check your view configurations, ensuring that the “match-clients” and “match-destinations” options are correctly defined. Misconfigurations can lead to clients receiving the wrong DNS records or experiencing issues resolving domain names.

Split-Horizon DNS Best Practices

To get the most out of your Split-Horizon DNS configuration and ensure it remains secure and efficient, follow these best practices:

Security Considerations

Implementing DNSSEC

Enhance your DNS security by implementing Domain Name System Security Extensions (DNSSEC). This adds an extra layer of security by cryptographically signing your DNS records, helping to protect against spoofing and cache poisoning attacks.

Regularly Updating Server Software

Keep your DNS server software up-to-date to ensure you’re protected against any newly discovered security vulnerabilities.

Monitoring for Suspicious Activity

Regularly monitor your DNS server logs for any unusual activity or signs of an attack. Prompt detection and response can help mitigate the potential impact of security breaches.

Performance Optimizations

Utilizing Caching Mechanisms

Implement caching on your DNS servers to improve response times and reduce the load on your servers. Caching stores frequently-requested records locally, reducing the need for recursive queries and speeding up the resolution process.

Balancing Load Between DNS Servers

Distribute DNS query loads evenly between your internal and external servers to prevent overloading and maintain optimal performance. Consider implementing load-balancing solutions or Anycast DNS to achieve this.

Maintainability and Scalability

Utilizing Automation Tools

Employ automation tools to manage and update your DNS records more efficiently. This can help reduce human error and save time on routine tasks.

Implementing Version Control for Zone Files

Use version control systems like Git to track changes to your zone files, allowing you to roll back to previous versions if needed. This can help ensure consistency and prevent issues caused by accidental misconfigurations.

By following these best practices, you can ensure that your Split-Horizon DNS configuration remains secure, efficient, and easy to manage, providing a reliable and high-performing solution for your organization.

Limitations and Alternatives to Split-Horizon DNS

While Split-Horizon DNS offers many benefits, it’s essential to be aware of its limitations and potential alternatives.

Potential Drawbacks

Increased Complexity and Maintenance

Split-Horizon DNS can add complexity to your DNS setup, potentially requiring additional maintenance and management. This can be particularly challenging for smaller organizations with limited IT resources.

Possible Single Point of Failure

If you’re using a single DNS server with views, it can become a single point of failure. To mitigate this risk, consider implementing redundant DNS servers or using Anycast DNS.

Alternative Solutions

GeoDNS

GeoDNS is a DNS-based load balancing solution that directs clients to the nearest server based on their geographic location. This can help improve network performance and response times, without the complexity of a Split-Horizon DNS configuration.

Anycast DNS

Anycast DNS distributes DNS queries to multiple servers based on network proximity, helping to balance load and improve performance. This solution can also provide additional redundancy and fault tolerance.

Conclusion

Split-Horizon DNS can be a valuable tool for enhancing security and optimizing network performance for organizations with specific needs. By understanding the components, advantages, and use cases, as well as following best practices, you can determine if Split-Horizon DNS is the right solution for your organization.

Keep in mind the potential limitations and explore alternative solutions if necessary. Remember, continuing to learn and expand your knowledge of DNS and network management will help you make the best decisions for your organization’s unique requirements.

By staying informed and proactive, you can ensure a secure, efficient, and reliable network for both your internal and external clients.

David Selden-Treiman, Director of Operations at Potent Pages.

David Selden-Treiman is Director of Operations and a project manager at Potent Pages. He specializes in custom web crawler development, website optimization, server management, web application development, and custom programming. Working at Potent Pages since 2012 and programming since 2003, David has extensive expertise solving problems using programming for dozens of clients. He also has extensive experience managing and optimizing servers, managing dozens of servers for both Potent Pages and other clients.


Tags:

Comments are closed here.

What Is The Best Web Hosting Provider?

Finding the best web hosting provider for your needs is an important step in optimizing your website. There's a lot to consider. Here are our basic recommendations:

Simple Websites

For simple websites, you have a lot of options. Most web hosts will do acceptably for a simple small-business website or blog.

That said, we recommend avoiding website builders so that you maintain control of your website.

VPS Hosting

If you just need a simple VPS, most providers will work well. Different providers have different downtimes, but the big differentiators are cost.

Providers like AWS and Google Cloud tend to be much more expensive than more specialized providers.

We recommend Digital Ocean and Hetzner if you're looking for a good VPS provider at a good price (it's what we use.)

High Performance Hosting

If you're looking for high performance web hosting, you're going to need something more specialized.

You can't just expect a simple cPanel host to give you what you'll need. You need a custom configuration.

Generally, you'll need either a managed host, or you'll need to get your servers configured with custom configurations.

If you're looking for a high performance hosting provider, we offer hosting designed for high-availability and high-traffic.

WordPress Hosting

What WordPress Hosting Should You Get?

There are many considerations when getting a WordPress hosting provider. Focus on the performance needs of your website.

WordPress Hosting Setup

When setting up your WordPress hosting, or switching hosts, there are a number of steps to complete. These include:

WordPress & Security

There are a number of WordPress security threats to contend with. We recommend using a plugin like WordFence to help secure your site.

WordPress Backups

Make sure to also back-up your site. It's absolutely essential, and ideally use an off-site backup provider that's different from your hosting provider.

WordPress Speed Improvements

There are a number of ways to improve the speed of your WordPress site on its hosting.

There are a number of plugins that can help improve your site's speed.

DNS

DNS Records

There are many different types of records, each with their own purpose. These include: SOA, A, TXT, CNAME, PTR (reverse DNS), and more. On some servers, you can also set up wildcard records.

The records you need will depend on what you're doing; WordPress sites require different records than mail servers, for example.

Propagation

The process of your records transmitting to DNS servers around the world is called propagation. It normally takes 48 hours, but you can speed it up a bit with some planning.

Testing

To test your DNS records, there are 2 main tools: dig and nslookup. Each is very helpful in its own specialty.

Reliability & Security

There are a number of ways to improve your DNS reliability and security.

  • Split Horizon allows you to separate networks, either for intranets or for separating by geographic region.
  • GeoDNS allows you to give different records to different locations based on the requesting IP address. This allows you to create your own CDN, speeding up your site.
  • DNS over QUIC speeds up your DNS requests and gives you better DNS security by encrypting your DNS connection.
  • DNSSEC allows you to sign and encrypt your DNS connection, ensuring that nobody is changing your records.
  • DNS over HTTPS allows your visitors to request your DNS records over an encrypted connection.

Internationalized Domains

Internationalized domain names allow character encodings other than Latin characters. They have their own methods for backward compatibility.

Scroll To Top