This is a basic question about how DNS servers communicate with the outside world when firewalled.
My understanding is that DNS servers are supposed to be placed behind a hardware firewall. They should not be firewalled themselves. This allows them to communicate freely with machines in a local subnet.
Suppose I have a collection of IIS servers with a bunch of websites. These websites use domain names and name resolution is being provided my DNS servers.
Given the fact that the boxes running DNS services are behind a firewall, there are one of two ways I can see how this works:
possibility a) all requests involving name resolution are being routed from the IIS server to my services running DNS. The IIS boxes are publicly exposed, the DNS boxes are not.
possiiblity b) there is some limited port open or communication between the DNS box and the outside world.
I'm finding this a bit confusing because if scenario a) is true it introduces a systemic dependency on those IIS boxes, and it also makes it hard to understand how widely distributed things involving DNS -- say, DFS file replication -- works properly if the primary actors of that are behind hardware firewalls.