1.1 Use a Split-Horizon Architecture


Running a Split-Horizon DNS architecture refers to running authoritative DNS servers and services for external DNS queries separate from the internal authoritative DNS servers, which answer all queries originating from within the organization. The external servers are configured to provide only a limited amount of information for the services needed for communication with external clients and services. Typically, the information published in the externally available DNS is the minimal needed for the Internet services such as email, web and gateway systems such as VPNs. The separate internal DNS service typically provides a richer information set typically needed by internal clients. Likewise, names servers should physically and logically separated fit only one of the benchmark profiles, and not both:

Authoritative Name Server

Caching Only Name Server


The three goals of Split-Horizon are to:

Minimize the amount and type of externally available information.

Physical and logical separation of external and internal DNS services.

Servers roles are either an Authoritative Name Server, or a Caching Recursive Resolver, but not both.

Separating the external and internal DNS servers in this manner adheres to a defense-in-depth approach that limits the potential damage and impact should the external name server be compromised, since it does not service internal clients, nor does it have information on the internal systems and services.

BIND 9 Views can be used to provide different responses based on the source IP address, and have been suggested by some as a means to implement split-horizon without having to separate the internal and external servers. However, the usage of views without separating the servers does not accomplish the second goal. In addition, the usage of views often erroneously assumes that source IP addresses are a reliable security control and cannot be spoofed. Therefore, it is necessary that the internal DNS server be located internally in a way that firewalls and other network controls will ensure external malicious queries will not reach the internal server.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.


Perform the following for remediation:
Implement Split-Horizon Architecture to separate external and internal DNS services. The external DNS servers should respond only to names of approved external services, such as web, email and VPN services.

Default Value:

Not Applicable

See Also


Item Details


References: 800-53|SC-7, CSCv6|12, CSCv7|12

Plugin: Unix

Control ID: 27f64ff7805495a4b6c81ad6d954da2bbad52233fcab985b6fa2e59f6d7c5eee