We have 2 Windows 2003 DNS servers that are authoritative for about 40 Internet domains, that have been hosting behind a Cisco Pix 515e firewall for years. They are both small Active Directory domain controllers with Microsoft DNS on them, and Active Directory keeps the DNS info replicated for us. We opened up ports 53 TCP & UDP, added static addresses in the firewall to the inside DNS servers address (10.9.10.5 & .6) and outside address (69.xxx.yyy.5 & .6), and had ISP make both servers authoritative and life was good. We also have a simple Windows 2003 based Web server and IIS server that host some web sites and e-mail and they are behind the same firewall and are part of the same Active Directory domain.
Then a customer wanted us to host DNS for a domain name xyz.IS which is an Iceland domain extention. During the process of pointing the .IS name to our DNS servers, using Zonecheck.fr we found that the standard default Microsoft DNS does not meet several current DNS server requirements. We tweaked several items on the DNS servers (such as TTL) to meet the current DNS server requirements and finally got down to one requirement that proved tough to overcome. When zonecheck queried our DNS servers it was also seeing the actual inside address (10.9.10.5) and didn't like it because it is not valid on Internet, even though DNS requests actually worked.
So, we temporarilly changed the IP address for both servers to be the actual valid Outside addresses (69.xxx.yyy.5 &.6) and placed them outside the firewall - and then Zonecheck was happy.
Now we want to put the two DNS servers back behind our firewall since they are much safer that way and not have all ports on these servers exposed to the wicked Internet. This has created a catch-22 situation for us. If we go back to using inside addresses and move them inside the firewall then Zonecheck won't be happy, and if we put them in a DMZ then Active Directory won't be happy with the mail and web server inside the firewall and the domain controllers outside - and the DNS servers outside will be fully exposed to the wicked Internet, and if we put some or all of the servers in a DMZ then some or all will be exposed to the wicked Internet.
It would be great if we could somehow use the actual valid Internet addresses on these DNS servers behind the Pix firewall and have the Pix do some kind of a pass thru mode out to the Internet but I don't know if such a pass thru mode exists. I thought about using 2 Cisco firewalls with a DMZ in the middle but I can't put a valid Internet address on the outside of the outside firewall and then put another address in the same subnet on the DMZ side of the same outside firewall (the Pix complains) - so that won't work. I don't have any other ideas. Is there a reasonable way to solve this? Please help!! :-) Thanks a bunch!!