External dns server recommendations.

I take it you are not using Active directory.
If you do not need internal DNS then I would recommend keeping the DNS externally hosted.  Public DNS would use up bandwidth needlessly.

Best solution would be split DNS.
Install DNS on a server on your network and configure your internal gatway routers IP as the DNS forwarder address.  
Now you can add domains you want to your internal DNS.  Make sure DHCP is configured to allocate your internal DNS server and not the gateway router.  Firewall rules to block LAN addresses from all port 53 (DNS ) except the internal DNS would be helpful.

ANy computer on the internal LAN will resolve to the DNS mappings internally, while the internet will use the piublic addresses without going near your network.

That would be the way I would do it.

 

We are using dns within our LAN with and we do have active directory setup. Our internal dns is not a problem, we are just trying to move away from an externally hosted dns server and create our own. I hear people all the time saying how easy it is to host your own external dns server but there are still things to concider. Like does the public dns server go into the dmz and Is there a static nat translation rule to give the dns server a public ip address? Or would it be best to install the dns server outside of the firewall. Also, I'm guessing that there still has to be a public dns record setup through the Internet to point all requests for our domain to the public dns server that I created? And the entries in my public dns would use either a public ip to resolve resources or a private ip to resolve my internal LAN resources?

In that case, yes, definitely put the DNS on a hardened server not a member of your domain in a DMZ.  Open port 53 to the internet and only allow port 53 to your LAN from the DMZ.

Make sure there is public access to the DNS server port 53 and change the DNS servers on your registrar to point to your DNS public IP.

The only benefit I can see is that you will be able to propogate changes immediately across the Internet, except where ISPs have configured to cache and don't check again.

Your public DNS server should never resolve to an internal IP address.  Make sure it doesnt.  There would be no difference to your internal setup except you would change the forwarding IP address to your public DNS server.  There is no benefit to doing this I can see though, you would add security risk and waste bandwidth for little benefit.  If you have a data centre with lots of public servers and need changes to propegate quickly fair enough.

Why do you want to do this?  

Ok so that is pretty much what I thought. So just to be clear, I will place the dns server that I want to use for outside queries in the dmz. I will give that dmz a private ip address but do a static translation to a public ip and point our registrar at the public ip I statically translated for the dns server I have sitting in the dmz. Now the entries in the dns,, will they point to a public ip or to the private ip of the webservers that are trying to be resolved?

I have to chime in and say that although it's possible to do what this the security risk is Gigantic.. You are publishing a Name Server on the public internet so everybody knows how to get to you and attack.  

I suggest setting up a DNS caching server, this is your best option with the lowest risk, this can be accomplished with Windows Server.   This caching server contacts multiple DNS servers including your ISP's as well as public servers like google IP 8.8.8.8.  and caches the entries on this machine making for quicker internet name lookups as well as offers redundancy should your ISP's DNS server go down.

Alright but what about a solution for people looking for servers that we publish? My main goal is to move away from using an external registrar for all of our dns resolutions. I want to bring that service In house but need some suggestions on how to best go about this. I have a cisco Asa 5520 for a firewall and a cisco 2951 sitting on the Internet edge with a switch in between the two. I need to know how I would accomplish this step by step.

You mean like godaddy.com?  If so, that would be illegal.

Huh? I know that I need an external registrar that points to our domain which would be like godaddy. What I don't want to do is use godaddy for every webserver we have. I want to use our own dns server. I need to know what the best method is for doing this with the equipment that I have.

Ok, sorry... I thought the question was a bit unusual.  I was thinking you wanted to host your own top level name server...

So just to be clear, you are talking about a name server, correct?  The entries would look like this:

NS1.YOURDOMAIN.COM
NS2.YOURDOMAIN.COM
NS3.YOURDOMAIN.COM

Is this what you are talking about, a name server, that's what the NS stands for.

That is correct, that is what I am trying to do. Right now we are doing this through an external dns service (I.e. Godaddy, etc..). How can I do this the beat using the hardware I have at my disposial.  

Yes, you can do this but before you do, it's important to remember that sites like go daddy have 100's if not 1000's of name servers for redundancy spread out geographically to avoid any single point of failure.  So, if you have your name server and web server on the same network and it goes down the outside world will not be able to view your company's website.  

That aside, here is a great article that I think is pretty straight forward, make sure to note all the security tasks.

http://faq.programmerworld.net/networking/how-to-setup-your-own-dns.html