The split-brain DNS is a problem when you have a domain and
subdomains behind the firewall. The solution we know is to declare
the DNS server of the parent domain as a secondary server for every
existing subdomain. This solution is not really great since we can't
resolve Internet names from a subdomain.
We are currently using the 4.9.3-REV and testing the 4.9.4 of BIND
but no improvement seems to be done...
There will be a paper by Bill Cheswick and myself addressing some of
these issues, to be presented at the Usenix UNIX Security Conference 7/22-25.