Right, for internal networks, we use source IP(well network, but same diff).
For instance, we might have diff. source networks based on their department or building or whatever. We can then give them DNS information based on where they are coming from. It's not foolproof obviously, even if we control the internal network, it doesn't mean a bad actor isn't around wreaking havoc, so it's defence in depth, not the sole line of defence.
But it allows us to control DNS from 1 spot, and give this group of servers names for themselves, and that group of servers and this group of clients access to this group of servers, etc.
For instance, we might have diff. source networks based on their department or building or whatever. We can then give them DNS information based on where they are coming from. It's not foolproof obviously, even if we control the internal network, it doesn't mean a bad actor isn't around wreaking havoc, so it's defence in depth, not the sole line of defence.
But it allows us to control DNS from 1 spot, and give this group of servers names for themselves, and that group of servers and this group of clients access to this group of servers, etc.