What is the proper way to delegate to a private / hidden sub-domain?

John Levine johnl at iecc.com
Wed May 6 21:38:56 UTC 2020

In article <mailman.364.1588797009.942.bind-users at lists.isc.org> you write:
>> This really seems like ordinary split horizon DNS.
>Please explain what you mean by "split horizon DNS" like I'm a n00b, 
>because obviously my understanding of it differs from what your 
>understanding seems to be.

The DNS server sends different answers depending on the client IP, so
on your internal network it sees the private subdomain, everywhere
else sees a ENT or NXDOMAIN.

If you really have to use physically separate servers for reasons that
you can't explain, I suppose putting the two servers at the same IP
addresss facing different networks could work, although you're asking
for trouble with route leaks anytime someone adjusts a router anywhere
near one or the other.  Remember that with normal anycast all of the
mirrors send identical or at least equivalent answers so the routes
are not a security issue.

John Levine, johnl at taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

More information about the bind-users mailing list