Internal and External DNS

karnac01 · 05-19-2011, 09:36 AM

Hello everyone,

Here is probably an easy question if anyone can help me out. I have done tons of reading but nothing really helps answers this question: What is purpose of Internal and External DNS?

I know you need DNS to translate computer/server names to IP addresses and store the records. So why do you need 2 internal and 1 external DNS? I do understand about having an internal DNS for internal network but what about the external DNS?

Also, why do you need 2 DNS inside the network? Can you have one internal DNS and make that your primary and if it can't find the record then have that one point to your external DNS in the DMZ?

Am I making some sense or am I just confused? I think I need a quick school lesson on DNS. I feel embarrassed to ask. Thanks for all of your help.

MensaWater · 05-19-2011, 10:36 AM

There is no "requirement" for:
1) More than one DNS server.
2) Separate internal and external DNS servers.

There are however "best practices".

The main reason for more than one DNS server is redundancy. If one goes down and the other is up queries will still work. If you only have one when it is down then most things (because most things rely on name resolution) will break because they can't find the IP address they are requesting from DNS.

One reason for separate internal and external DNS servers is that the IPs you use internally might not be the ones you use externally (they seldom are - often you'll have a 10.x or 192.x network internally but your web servers etc... will be in a public IP range [often NATted from the internal IPs]. Also there are security implications. You don't want a DOS attack on your external network affecting your internal operations. Also you don't want people outside your network seeing all the devices you have inside your network and finding out their IPs. Typically the external DNS is in the DMZ. Also you might be doing Dynamic DNS updates on your internal server using DHCP.

However, you CAN (but shouldn't) make one server both the internal and external server and can even set separate IPs ranges to use for internal and external using "views".

Edit: Another reason to separate internal and external. Often you want to allow your internal users to query cache and/or do recursive queries. You do NOT want external users doing that due to cache poisoning attacks.