Summary

Closes #909.

This updates dns-security so split-horizon DNS, private hosted zones, and conditional forwarders are reviewed through explicit evidence instead of being treated as generic DNS inconsistency.

What changed

• Adds discovery patterns for split-horizon, private DNS, resolver rules, and forwarding policies.
• Adds a split-horizon and conditional forwarder review step with required evidence for zone scope, client population, authoritative source, forwarding path, answer comparison, ownership, and change control.
• Adds DNS-SPLIT-01 through DNS-SPLIT-06 for missing view evidence, unintended public exposure, resolver recursion bleed, broad forwarder shadowing, fail-open forwarding, and DNSSEC validation mismatch.
• Adds benign and vulnerable BIND/forwarder examples so intentional internal/external answer differences are not overreported.
• Extends severity guidance, output format, common pitfalls, prompt-injection handling, references, and changelog.

Validation

• git diff --check
• Markdown fence balance check
• Marker checks for DNS-SPLIT-01 through DNS-SPLIT-06, version 1.0.1, and prompt-injection safety notice
• ASCII-only content check
• Reference URL checks returned HTTP 200 for BIND views, CoreDNS forward, Route 53 private hosted zones, Azure Private DNS VNet links, and Google Cloud DNS zones overview

Bounty

Submitting this as an Improver contribution under the repository contribution guidelines. Payment details can be provided privately after maintainer acceptance.