Implement a public - Private Domain within a DMZ

Hello buddies, I am implementing a Public - Private Domain over a network. In the past the structure was similar but i think i didn't implemented the DNS server OK (There was a DNS, web server and mail server were in the DMZ and in the same machine). I configured DMZ DNS to solve outdoor queries and indoor queries (Internal users) solve via internal DNS that points to DMZ server. Public IP and public domain was published on DMZ DNS server even on forward zone and reverse zone. I am not sure if it is correct or no I think it is not and now i have to add more servers and don't know how to configure the DNS correctly. Someone can help me (Please try help as a novice). Thanks in advance
Eduardo GuerraAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChrisSenior Technical ArchitectCommented:
can you explain a bit more on what you mean?

do you mean a domain with a public name space i.e. and you have public and private resources that will use the domain for their FQDN i.e. and
Eduardo GuerraAuthor Commented:
I mena the following;

Yes I have a domain like Internal users should access email, www and FTP that in on DMZ. Internal users have Active Directory with .local. Outside users should access only to public resources like www and FTP. and also can send mails to internal users
ChrisSenior Technical ArchitectCommented:
Do you have separate AD domain for DMZ and internal Network are they all on one domain?

For internal users to access those resources in the DMZ you want them to go via the internal network and not out to the internet and come in via the public path?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Eduardo GuerraAuthor Commented:
Well, both are separated domains. My problem is not internal network, it works like we want. My problem is at DMZ
ChrisSenior Technical ArchitectCommented:
ok, so the DMZ is running in its own AD, and its using the public facing DNS zone?

If you need it to resolve internal DNS queries then a conditional forwarder for domain.internal which points at the internal DNS servers
All the DMZ servers points at the DMZ dns servers and they deal with the query as needed
Eduardo GuerraAuthor Commented:
Please Help on DMZ DNS configuration. I am not sure where to place Public IP and where to place private IPs for servers. i mean Should i use Private DMZ IPs on forward zone or in reverse zone?. Think i am a novice on this
ChrisSenior Technical ArchitectCommented:
Are you hosting your own public DNS?
If so then i would expect specific and separate DNS servers responding to public queries from the internet

Do you have a firewall or something in front of those servers which presents the Public IP's and it NAT's (network address translation) to the a private IP?

I would expect a public range on the firewall as the public address
The firewall directs any traffic coming into Server 1 in the DMZ as Server1's IP address

That way the forward and the reverse lookup zone have the private DMZ ip addresses on it
Eduardo GuerraAuthor Commented:
I have a Cisco ASA 5510 as firewall, yes HTTP, HTTPS and SMTP traffic are directed from outside to DMZ. Off course, Firewall has a public IP and yes we host our own domain. DMZ Subnet is 172.16.x.x
ChrisSenior Technical ArchitectCommented:
So do you have public DNS records and private DNS records (DMZ internal range) in the same DNS Zone?

ideally you would have Public DNS servers which would host all the external records and then the Domain Controllers which would host the DNS zone with internal Records so you don't have it mixed up
Eduardo GuerraAuthor Commented:
Actually, the only server in the DMZ has Public IPs published (Remember, today the same server is the DNS server) and off course everything works. I don't know how to do when there will be more servers in the DMZ (And now i need to separate services). I need to put 1 server for DNS (I think it is correct), 1 server for antispam, 1 for mail and 1 for web and ftp. How to "redirect" queries to those servers that will be on the DMZ
Eduardo GuerraAuthor Commented:
How and which records should i add and how many and which zones to add. That may real question
ChrisSenior Technical ArchitectCommented:
When you say DNS server you mean serving public DNS Queries?
Or do you mean server internal DMZ DNS Queries?

Hopefully this example/explanation makes sense to you and my assumptions are correct.
Assumptions -
You are hosting your own External DNS Zone i.e. from the internet some goes to your server will answer
Within the DMZ you are running an Active Directory domain, this domain controller will answer queries for the internal servers

the DNS server answering the external DNS queries should not be used for internal DNS queries, that way it only has public address
The DNS server supporting the internal DNS queries should not be used for external DNS queries that way it only has private addresses

You can have both forward and reverse lookup zones on both servers

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eduardo GuerraAuthor Commented:
mmm, This is the full scenario:

A firewall has 3 interfaces (Outside, DMZ and Inside). Inside network has its own AD structure with its own DNS (domain extension is .local). DMZ has its own AD structure (Now just 1 server for everything) and has its own DNS server (The same Machine) and the domain extension is .external. On DMZ DNS Server (That machine too) is configured public domain (SOA, NS, A Records, etc) forward and reverse zones for public domain. Inside network queries are solved by inside DNS that redirects traffic to DMZ (I think i should no have any trouble if there are 1 or 50 servers from the inside view) Internal users should access corporate email server, website and FTP with no problem (On the inside DNS server is configured a forward and reverse zone for public domain that redirects to DMZ)

With one computer on DMZ, everything works fine, but now we have to add more servers because of security. Which zones and records should i configure if there will be more than 1 server to redirect correctly the traffic to the right server?,

Subnet segments are: (Inside), (DMZ) and x.x.x.x (Public IPs)
ChrisSenior Technical ArchitectCommented:
ok so you have one forward look up zone which resolves the public domain name, another forward look up zone which resolves the .external donmain

The public zone should only have the records for anything publicly accessible i.e.,
The .external zone would have server1.domain.exteranl and an A record for the address
you would then have at least 2 reverse lookup zones one covering and then additional ones for whatever public ip ranges.

i would say you don't really need the forward zones on the internal server just conditional forwarders to point to the right place or if you want to use the same FQDN then pinpoint zones to resolve to the address
Eduardo GuerraAuthor Commented:
When you say "The public zone should only have the records for anything publicly accessible i.e.,", I think you mean i have to add records with public IP Addresses right?

But how does the DMZ DNS know where to redirect for example web queries to the right server in the DMZ?  (e.g.: I am a user in the US and want to access the website and type I assume that DNS will reply: Hello, we are But how does it know it must redirect that query to the web server?

Where in the DMZ dns i will tell webserver is and mail server is 31.4 and ftp is ,5. where will be the link between public zone and external zone?
ChrisSenior Technical ArchitectCommented:
yes the public zone with public DNS

External Queries for would hit your DNS server and the public zone and return the public IP address.
That would hit your firewall and then be forwarded on to the internal server address i.e.

the should be no need for the public zone and the external zone your internal servers shouldn't resolve to the external address as that would force the traffic out of the firewall and back in, which would fail.
Eduardo GuerraAuthor Commented:
Is there anyway to contact you via email?, i have some issues about this topic. There are some details i cannot post on a public site
ChrisSenior Technical ArchitectCommented:
suitable suggestion based on the provided information
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.