Combining public and private DNS records


My client has the following use case…

Their website is hosted on their server and they want to move it to our hosting where we will use Cloudflare for caching and CDN. They have their own DNS servers and have some internal DNS records which (for security reasons) must not be visible outside their private network, but are needed by their internal IT systems.

Is it possible (and how) to achieve a setup where:

  • their public DNS records are served by Cloudflare both to the public and to the PCs in the client’s private network (which is, afaik, a requirement for CF CDN to work)
  • their private internal records are serverd by the clients DNS system only to the PCs in the client’s private network


I’ve searched the forum, but found no topic about this specific case. Any help is appreciated.


This is a common setup. Several ways to do it. I suspect the easiest for you is to set up the public DNS as normal, and use a CNAME setup on your internal DNS for the public facing addresses. For example:

In cloudflare: www IN A :orange:

In private: www IN CNAME

Would that work for you?

The main drawback of this setup is that DNSSEC is scarier to turn on in split horizon, unless you know you can strictly control the boundary between the two.

Just as an aside, is there any reputable source or recommendation that having an attacker know the IP address is a serious (business threatening) issue? If the attacker already knows the name, and have sufficient access to launch even so much as a ping, then they can probably resolve the name anyway from your internal DNS. Have I missed some massive vulnerability somewhere, or is this another element of security theatre?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.