[dns-operations] A Deep Dive on the Recent Widespread DNS Hijacking Attacks

[Doug Barton]

On 2019-02-23 10:17 PM, Bill Woodcock wrote>
> We’re switching to split-horizon DNS, such that nothing else which requires authentication will be resolvable without first being on the VPN.

If you're going to go through that level of trouble, why not instead do 
it right, and put the sensitive hosts in their own zone, which is only 
visible on the internal resolvers?

"If split DNS is your answer, you're asking the wrong question."