DNS consolidation, how to serve both internal network and the internet

Currently we have a following setup. We have two domain controllers which also serve as DNS servers, used as resolvers by local clients. We also have external autoritative DNS servers for exact same DNS zone, just for servicing outside world. This leads to a situation when the same record has to be entered twice on both server groups.

One obvious resolution is to use only internal servers and eliminate external server group. We use NAT and all internal servers have address from private ranges, eg. 192.168.1.0 Requests from outside world are forwarded to whatever machine is needed.

The question is how to avoid leaking internal addresses (that will resolve to 192.168...) if internal DNS servers start serving external requests?


We have a similar setup, but I have purposely kept the external DNS on different servers than the internal DNS for security reasons. As soon as you move the external DNS to the same server as your internal which is also Active Directory, you have to open a hole up for resolvers to the same machine that serves your internal Active Directory. If there is a flaw that crops up in the DNS service (as there have been in the past), then an attacker can potentially compromise your internal Active Directory machine. By keeping internal and external DNS on separate machines, you do not have to open up anything through the firewall to the internal DNS/Active Directory box keeping it much safer IMHO.


Having a zone duplicated intranet/internet is called "split brain" and you have outlined the pros/cons nicely. Now you must choose on the pluses and minuses. Hint; live with duplicate updates for the few records that have to be on the internet.