external DNS servers (quick question)

Do most companies house their own externals DNS servers?  and do they have two types of external DNS servers?

1.  One DNS server that queries the root servers (for their internal client's requests. So clients are set to forward to this )

2. And another DNS server that resolves names for clients from the outside (who are trying to find the companies webserver etc.)

Wouldnt it be better to keep the two separate.  
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I believe DNS servers are set up in a chain-like fashion, that go well out of the enterprise itself.

Your No. 1 server will normally exist in a company, but when queried, it will then query another DNS server on the outside for the client, normally the ISP hosts this server.  Eventually that client will be simply given an IP address for the name (eg, www.experts-exchange.com) that wish to access.  When the IP address is queried the request is able to be routed through the internet.

For No. 2, a company wouldn't have a DNS server for the hosting of remote access servers (web servers, etc), the DNS would be handled at the client end (who would be querying the webserver, for example, No.1), and eventually be given an IP address to the company, or one of many servers within a company.  Once the request reaches that IP address, the company servers can route the request internally to the appropriate server if required (normally used with port forwarding etc, where there are a number of servers hosting different services behind the one external IP address).

Hope I haven't confused you!

Typically, people keep at least two domains, one internal and one external.  For devices that are internal , you use a namespace that does not match your external namespace.  So if you are mycompany.com externally, you are mycompany.int internally.  This helps prevent people from using your DNS server to map your internal network.

That said, you can host both the namespaces on the same server, but best practices says you should have separate servers for internal and external.  

Most people own their internal DNS servers -- I don't know of anyone who hosts that offsite.  The internal servers resolve requests both internally and externally to the Internet.  All your clients point to these boxes.

Many people do not own the servers that contain their external DNS information.  Largely it's because it isn't worth the bother or cost to host them.  Let your ISP do it for you -- it is typically pretty inexpensive.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Well dear,
u r very very right... there has to be more than one server. Ollie is right that servers are in the chain configuration. But what we do in the internet business is that some ISP has its own server working for DNS, with autmotic secure update from another server. This way the server serves for the internal organization as well as for internet. In Windows it is very easy,just enable Allow Secure Updates Only and u have done that. In Linux, however, you have to write the code for that... and its simple...

To give u a better understanding, what happens is... that DNS servers have levels as well. When u go out from ur gateway, u first go to a DNS server. The DNS server will either resolve the address itself, or ask its next DNS server. DNS server is not so stupid to keep a trillion of websites with him for resolution, it just knows the paths... for example for .edu.com, it may get directed towards one server, yet for .net, it may go to some other server. But the hierarchy is maintened at the DNS level. Sometimes the access is blocked or restricted for one ISP, so u wont find the webaddress working under that ISP.....
the topic is pretty simple, yet long.... hope u have got fair idea of that....

happy understanding ;)

What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

If you're asking what I think you're asking, the answer is usually no and no, unless the company is an ISP or telecommunications company who already has that for other purposes.  If I read your question correctly, you're talking about internet DNS one way and the other, and not intranet.  Normally, a company will run DNS internally, but it is for Windows network name resolution, like returning an IP address when you do something like "ping mailserver1"  Internal DNS (used to be called WINS, has been called DNS since Win2k Server) just resolves names to addresses on your LAN as a fuinction of NetBIOS etc for the purposes of filesharing, remote management etc.  As far as internet DNS, regardless of whether it be incoming or outgoing, it's normally done at the ISP or telco provider level, although many gateways, servers, etc will cache the last several hundred to several thousand requests in a revolving cycle just to save bandwidth/overhead etc.  It's a heirarchy, your browser (when on LAN) will check its own cache, then your server's cache, if your server doesn't have it, it checks with your ISP, if your ISP doesn't have it, checks with a core server, etc etc
dissolvedAuthor Commented:
thanks everyone

I currently have 3 internal DNS servers. Its ADintegrated using dynamic DNS. They query my ISP's DNS for stuff they cant resolve.

I have one external DNS housed here. This isnt affiliated with my AD structure at all. It's just a win2k box running nothing but DNS. I disabled recursion on it and removed the root servers. It strictly for clients resolving addresses of my externally accessible boxes.
dissolvedAuthor Commented:
Thanks Focusyn. I would of given you points, but I think I was splitting points while you were typing your answer. Bad timing.

Basically, you guys answered it. External servers are kept at ISPs usually.  The company must use some type of interface or control panel right? Otherwise, the ISP would have to do all the changes.

Let's say I host my own website. When outside users want to access it, they will eventually query my name server to find the address. Is the name server they query, going to be the same one my internal clients use to resolve internet names?

So basicall in other words: Does the external server both resolve queries for my internal clients, and for people on the internet trying to find my website I have in the company
In this case... your internal DNS servers work for your internal clients; it is very likely your domain name is directed to another company's nameservers (a lot cheaper this way). From there, any requests basically end up at your external IP (but the outside client sees your domain name).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.