Split Horizon DNS: Internal and External Views

Split horizon DNS (or split-brain DNS) is a technique where the DNS server returns different responses based on the query origin. Typically, internal queries (from LAN) receive private IP addresses while external queries receive public IP addresses. This optimizes routing, avoids NAT hairpinning, and can secure access to internal resources. It's a common configuration but complicates monitoring and troubleshooting.

Symptoms of Split Horizon Problems

• A service works internally but not externally (or vice versa)
• The IP returned by dig varies based on the network you test from
• External monitoring tests don't match internal experience
• SSL certificates report domain mismatch

Split Horizon Use Cases

• Intranet access: intranet.company.com returns 10.0.1.50 internally and doesn't exist (or redirects) externally.
• NAT optimization: Avoids NAT hairpinning where internal traffic would go out to Internet to come back.
• Security: Hides internal topology from external queries while allowing named access internally.

Split Horizon Diagnosis

1. Test from internal: dig @internal-dns-server example.com to see internal response.
2. Test from external: dig @8.8.8.8 example.com to see public response.
3. Compare both results and verify they match expected configuration.
4. Document which domains use split horizon and what responses are expected.

Multi-View Monitoring

MoniTao can monitor both sides of your split horizon:

• Monitoring from Internet to validate external view
• Configuration of internal monitors for private view
• Alert if a view returns unexpected response

Split Horizon Best Practices

• Clearly document what response is expected for each view
• Use explicit subdomains when possible (internal.example.com)
• Ensure SSL certificates cover both access cases
• Regularly test both views to detect configuration drifts

FAQ - Split Horizon DNS

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing