I currently work in a company that has two DNS servers (ns1 and ns2) open to the Internet on the DMZ, and it's hosting two zones: company.org and company.net. In both zones there are servers in the DMZ and in the internal LAN, and recursion is enabled on the DNS server.
I was thinking of doing this: reconfigure all servers on the DMZ to have a FQDN of server.company.org and on the internal LAN server.company.net. And then, have a DNS server on the DMZ with just the company.org zone and another DNS server on the internal LAN hosting only the the company.net zone.
Is this wise, or there's a better solution? If using this, which DNS server recursion must be enabled and disabled? And what about forwarding?
Thanks very much.
Best Answer
You've not clearly stated your goals, so providing a specific recommendation is difficult.
However, for ease of management and security, using one domain for public facing services and another for internal services is beneficial while not technically required.
For example, you could place all public facing services on one domain. Then use a DNS service provider or your registrar to manage DNS records for this domain. Doing so will allow you to stop running a DNS server in your DMZ.
Internally, you may want to check what, if any, DNS services your network gear provides. Some network devices may allow you to manage DNS directly in your device.
If not, then consider a small VPS system dedicated to internal DNS. You can publish your own records for internal assets and then configure the system to handle recursion and DNS caching. This way IPs and domains for internal assets are not publicly discoverable.
On your internal server, you can use a forward, caching DNS setup that uses services like OpenDNS or Google's DNS for the recursion. These public DNS services include some security features that doing your own DNS recursion does not. This is often an easy and inexpensive way to add additional security to a small office or branch network.