Internal servers should be reachable via an internal name, the same domain must resolve differently externally
Split-horizon (split-brain) DNS returns different answers depending on the source of the query. Classic for on-prem servers on private IPs that should only be reachable externally via VPN.
Try this first
- 1First decide whether split-horizon is truly needed. For fully cloud setups a single public DNS zone is usually simpler and safer.
- 2Keep zone names identical (vectel.nl internal and external) but let an internal resolver (Active Directory DNS, Pi-hole, Unbound) override specific records.
- 3Avoid different values for public records (MX, SPF, TXT). Keep them identical, otherwise mail and API tests from inside break.
- 4Document which records differ internally, because anyone troubleshooting without that knowledge gets lost.
- 5Test from both inside and outside regularly with dig or nslookup, a single DHCP change that bypasses the internal resolver wrecks it.
When to bring us in
If you have a hybrid setup where internal and external diverge and mail delivery acts up, we can redesign the DNS architecture.
See also
- Domain expires tomorrow and nobody saw the emailAn expired domain doesn't transfer instantly. There's a redemption window, but you pay extra.
- Unsure whether to enable auto-renewDisabling auto-renew only makes sense for domains you'll truly drop. For anything live, just keep it on.
- New registrar asks for auth code, can't find itEPP code or transfer code is the password to move a domain from registrar A to B.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.