Split-Horizon DNS

Split-Horizon DNS, or Split-Brain DNS, is a configuration where a DNS server provides different sets of DNS information based on the location or characteristics of the querying system. More specifically, the DNS server resolves the same domain name to different IP addresses depending on whether the request originates from within the internal network (intranet), or from the external internet.

Split-horizon DNS enhances security, boosts performance, and simplifies DNS management for improved network operations. UltraDDR administrators can define a list of domain names to internal resources names that should resolve locally instead of being sent externally.

  • The UltraDDR Agent Software for Windows or the UltraDDR Agent Software for macOS must be deployed for Split-Horizon DNS support.

Configuring Local Domains and Resolvers

The Local Domains feature allows you to define a list of internal domain names that should resolve locally—utilizing your defined Local Resolvers—instead of being sent externally. This prevents any external DNS resolution for your internal domains, keeping traffic local.

The Local Resolvers are the internal DNS resolvers that will be queried for any domains matching the Local Domains list. This is necessary as external resolvers cannot resolve internal domains/FQDNs. Local Resolvers should be configured with DNS servers in your internal network that can resolve your Local Domains.

To configure Local Domains:

  1. Within the UltraDDR portal (https://ddr.ultradns.com), navigate to the Settings ( icon) > UltraDDR Agent > Local Domains.

  2. Add your local domains to the Local Domains input field. Enter multiple domains by hitting the “enter” key between items.

  3. Click Save. Changes may take up to five minutes to synchronize to your agents.

To configure Local Resolvers:

  1. Within the UltraDDR portal (https://ddr.ultradns.com), navigate to the Settings ( icon) > UltraDDR Agent > Local Domains.

  2. Add the IP addresses of the internal DNS resolvers you intend to utilize as local resolvers to the Local Resolvers input field. Enter multiple IP addresses by hitting the “enter” key between items.

  3. Click Save. Changes may take up to five minutes to synchronize to your agents.

 

Note: RFC 1918 is permitted as it’s likely that your internal DNS resolvers are only reachable from a VPN or internal network connection. For more details, please refer to https://en.wikipedia.org/wiki/Private_network.

Configuring Local Network Test

Using the UltraDDR platform, users can instruct the UltraDDR Agent Software for Windows or macOS to perform a test that determines if the device is on your organization’s local network.

The test involves sending a DNS query to the Local Resolvers (defined in the Configuring Local Domains and Resolvers section) and verifying that the returned value equals the expected value. This test can be useful if a domain is used for both internal/intranet and external/internet purposes.

  • When this option is enabled and the test succeeds, the agent will perform domain resolution against the Local Resolvers for those domains in the Local Domains list.

  • Conversely, when this option is enabled and the test fails, the agent will bypass the Local Resolvers and resort to the standard (protective) recursion method via UltraDDR’s resolver network for the domains in the Local Domains list.

To configure the Local Network Test:

  1. Within the UltraDDR portal (https://ddr.ultradns.com), navigate to Settings ( icon) > UltraDDR Agent > Local Domains.

  2. Set the Test Query. This is domain for which the UltraDDR agents will attempt to query an “A record” from the Local Resolvers defined above, and if successful, verifies that the returned value equals the Test Value.

  3. Set the Test Value.

    • Ensure that you have created a resource record (of type “A”) on your Local Resolvers with the domain name of the record set to what you’ve set as the Test Query, and the value of the record set to what you’ve set as the Test Value.

  4. Click Save. Changes may take up to five minutes to synchronize to your agents.

 

Note: The Local Network Test is optional. If no network test is defined, the agents will always attempt to resolve domains in the Local Domains list against the Local Resolvers. However, if you define a Local Network Test, then agents will periodically attempt to resolve the Test Query domain against the Local Resolvers to determine if the endpoint is currently connected to the local network.