I am in the process of changing the current DNS strategy at work. We currently use AD DNS integrated services. The DNS Int servers all use configured forwarders which are a couple of Linux virtual servers that despite having an external facing IP address they are currently VMs sitting inside a production VMWare stack so hopefully this will be obvious to you as to why the change is being recommended.
Clients are issued 2 active directory DNS servers via DHCP scopes. All AD DNS servers are currently pointing to the virtual forwarders which are being discontinued.
Couple of little points I want to engage you experts in.
1. We do not have the budget to pay for an external ISP for DNS queries so I have 2 choices. I am installing 2 server core 2008 R2 into the DMZ but i can't decide whether to allow the servers to use root hints (if i do, i don't need to configure any zones is that right?) or configure them to use Google 220.127.116.11 and 18.104.22.168. It just doesn't seem right to be using Google?- do lots of companies use Google? as i have not come across a company before that do not have their own ISP? Also, i hear that the root hints are subject to change and so i'm wondering whether if i use them it will cause me more issues down the line.
I have one last question. I want to allow TCP 53 from the 2 servers through the firewall to my internal Ad DNS servers, im doing this because im reading more and more that its required with IP6 and dnssec and also that if a host can't be resolved using UDP 53 it will then try TCP 53. Here is my question - If im not setting up any zones on the external DNS servers, i don't need to worry about limiting zone transfers betweens hosts? I guess im asking the same question as above in that am i right that i don't need any zones if all the servers are doing is resolving DNS queries to external resources?
If you are still reading this than many thanks :)