Internal DNS server provide response to external requests?

I have a pfSense firewall and a Windows 2008 R2 DNS server. I'd really like my DNS server to respond to external queries for my subdomains. Right now, I'm using a 3rd party service for that.

Is there a way that I can have my 2008 server respond to DNS requests from "the world" while still keeping it behind the firewall?

I've only got one external IP, currently. If needed though, I could purchase a second if that'd help in this situation.


Solution 1:

You can get an additional IP and 1:1 NAT the internal DNS server to the public IP and open port 53.

You should note that you should really separate your authoritative servers from your recursive resolvers. What you're proposing is technically possible, but is really bad practice for a number of reasons.

Solution 2:

You can just port forward TCP/UDP 53 to your server on your existing WAN IP, if you aren't already running a DNS server on that IP. But I wouldn't recommend doing that in most cases, it's better to keep your public and private DNS separate. Especially if you're running Active Directory, you'll expose a good deal of information about your internal network to the world if you open the DNS server serving your AD to the Internet.