Desculpe, o conteúdo desta página não está disponível no idioma escolhido.
Início Split DNS

Split DNS

(also split domain name system, split-horizon DNS, split-view DNS)

What is split DNS?

Split DNS is a network configuration that gives internal and external users different DNS answers for the same domain. Inside a private network, users receive DNS records that point to internal systems and services. Outside the network, public users only see the DNS information meant to be accessible on the internet. This setup — also known as split-view DNS, split-brain DNS, or Mirage — helps keep internal IP addresses private while allowing organizations to manage both internal and external services under the same domain.

See also: DNS query, DNS filtering, DNS cache, DNS resolution, DNS sinkhole, DNS

How does split DNS work?

Split DNS operates by assigning different DNS servers — or different DNS zone files — to separate parts of a network:

  • Internal users (for example, employees) receive DNS records pointing to private servers, internal applications, or intranet pages.
  • External users (anyone connected through the public internet) receive DNS records meant for public websites or services.

Split DNS is often used with a VPN, where remote employees connect to internal DNS servers through a secure tunnel. This allows them to access internal resources the same way they would inside the office

Benefits of split DNS

  • Remote access to internal resources. Hides your network by preventing external users from accessing internal services. In a network with distant and local users, you can configure internal-only DNS domains for servers, resources, and apps. This enables you to control your own DNS records, so internal-facing apps are only accessible from your company network.
  • Improved network latency. Directs queries to the appropriate server. Your employees' requests for YouTube, Facebook, or GitHub won't burden your internal DNS server with a split DNS arrangement. Your internal DNS server can go down without affecting anything.
  • Improved obscurity. By setting up a split DNS configuration, you can hide DNS answers for the domains you choose. This helps with splitting internal and external queries by assigning internal IP addresses to internal-facing services.
  • Enhanced security. Internal IP addresses and sensitive infrastructure details are hidden from the public internet, reducing the risk of reconnaissance and targeted attacks.

Are there any limitations of split DNS?

  • Manually keeping both DNS servers up to date with publicly available resources. While dynamic DNS would be convenient for a public DNS server, the security risks aren't worth it.
  • Zone transfers are not possible because both servers host the principal zone for “yourcompany.com.” A transfer is only made possible to another secondary zone of the same domain name.

Example of split DNS

A university manages the domain campusportal.edu for both public services and internal academic systems.

  • External users
    When visitors look up campusportal.edu, public DNS records direct them to the university’s main website hosted on a public server.
  • On-campus users
    Students and staff connected to the campus network receive different DNS records for certain hostnames. For example, research.campusportal.edu may resolve to a private IP like 172.22.14.9, which hosts internal research tools not available to the public.
  • Remote access
    Faculty members working from home connect through the university’s VPN, which routes their DNS queries to the internal DNS resolver. This lets them reach research.campusportal.edu or other internal resources just as they would inside campus buildings.