DNS entries for a stand-alone server in a DMZ

I'm referencing an earlier question, that I need a more-detailed solution for:

"Yes, keep your external DNS completely segregated from the AD DNS environment.
I would recommend setting up a standalone box (not on the domain) and configure your DNS entries manually.  This is certainly the most secure."
I have a standalone server in a DMZ.  How would I configure my DNS entries for my internal LAN to access that server by name and not IP?  I want our internal users to route to the interal IP, and not out to the internet and back in as clients would.  Does this mean that I would have to update the hosts / lmhosts files on all of my workstations, or is there any type of entry in DNS that I can make for as standalone machine?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What your saying is you want 2 different records, one for internal and one for external clients??

Well if updating your host files is not an option I would create a DNS server for internal use only.  Use that for internal resolution.

dzinesbymegAuthor Commented:
I do have an internal DNS server...several of them in fact.  To add an A record though, it assumes that the machine is part of the Domain, and the webserver is stand-alone.  My question is specifically what would the DNS record look like on the internal DNS server to access a stand-alone server in a DMZ, or is that even possible?
What you need to do is have your internal DNS server connect to your external DNS server. So it can act as a DNS forwarder or Cache on top of hosting its own domains.

Your internal DNS could host a completely different domain such as domain1.com whereas your external DNS will host domain2.com

Since all your workstations connect to your internal DNS, then this is enough to have it retrieve all DNS entries of Domain1.com and Domain2.com and the Internet domains as well (Since most likely your external DNS is configured to retieve Internet domains as well).

On the other hand, all External users will only be able to retrieve records for Domain2.com and not Domain1.com as your external DNS will not forward to your internal.

I hope this clarifies the situation for you.
dzinesbymegAuthor Commented:
hbustan, this is an acceptable solution, but it doesn't answer the question I was trying to ask.  If the server in the DMZ is stand-alone (by which I mean not a part of ANY domain), is there any type of record to be added to the internal DNS that would allow my internal machines to access that server by the same address that my external DNS is pointing to (portal.domain1.com)?  Right now my exteranl DNS is hosted by my ISP.  Maybe it's just not possible...
OK - my understanding was that the DNS in your DMZ is the external one.

So you are saying you have DNS internally, DNS in the DMZ and DNS with your ISP?? 3 layers?

If this is the case, then:

1. Your Internal DMZ will host your internal servers & have a forwarder to your DNS in DMZ.
2. Your DMZ DNS will host the machines in your DMZ & have a forwarder to your ISP DNS.

This way, when a PC looks up an internal name it will only go to your default DNS and get the values immediately; when looking up a DMZ server name, it will go locally and then your DMZ will make another request to fetch it from the DMZ DNS. When looking up Internet addresses, it will go locally, then your local DNS will request from your DMZ DNS and DMZ DNS will request from the Internet.

So you still do not need to use host files.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.