Support Library
Split-Brain DNS / Split Horizon
Split-horizon DNS serves different answers internally and externally for the same name.
Short Description
Split-horizon DNS serves different answers internally and externally for the same name.
Why This Matters
Configuration drift can leak internal records or misroute users across trust boundaries.
How It Happens
Separate DNS views are applied by client source, forwarding policy, or enterprise conditional resolvers.
How to Detect It
Query from internal and public resolvers and compare answer sets for the same hostname.
How to Fix It
Document intended views, audit ACL/policy rules, and monitor both internal and external resolution paths.
Real-World Example
A forwarding misconfiguration exposed internal hostnames to public clients during a network change.
Related Checks in DNS Panopticon (map to product features)
Resolver-path comparison and private-address exposure findings.
How DNS Panopticon Detects This
- Relevant checks: Delegation integrity, resolver consistency, DNSSEC health, and suspicious record-pattern checks.
- Severity mapping: Informational, medium/high, or critical based on exploitability and user impact.
- Score impact: Reliability and security scoring dimensions are reduced according to blast radius.
- Related findings users will see: NS drift, validation failure, orphaned CNAMEs, wildcard exposure, and policy misconfiguration alerts.
Operator Checklist
- Verify behavior from at least two public resolvers and one resolver inside your own network before making changes.
- Make one change at a time, capture before/after query output, and wait for TTL windows to clear so you can confirm impact.
- Document the root cause and the final fix in your runbook to shorten future incidents.