Need some serious DNS help

The school that I work for has recently changed ISP's so we had to get new ip addresses... we also tore out the old network hardware (sonicwall and netgear stuff) and replaced it with all new (cisco firewall, switches and phones). I have internal private IP addresses for my 4 servers... 2 0f them are resolved by the firewall to have public addresses by the firewall. I need help setting up my DNS server on one of the 2 servers that can be reached from the public IP addresses. The DNS needs to be able to tell both Internal machines and external machines how to get to computers on my network. I can ping all the servers either internal and external and can use their IP addresses to load the pages they are supposed to. But I can not use any of the names I keep getting unknown host errors... please help me!

Greatful network admin 1st year on the job.

Being a school, what is your current infrastructure...A Windows Domain or Open Directory (MAC)? Either way, I would seriously keep your internal DNS completely separate from your public DNS and NAT your external IP(s) to internal IPs hosting the needed services.

If you're hosting a web site (or web mail) on a server inside your network, set up your DNS records with your registrar and let them handle the external DNS requests and NAT your external IP(s) to the LAN IP address of the servers hosting publically accessible resources (webmail, web server, email server...etc.) For your internal users, setup your internal DNS for your internal users and resources ONLY and forward internet requests.

[EDIT]

For most Windows Domain infrastructures, I normally create their local domain as something like 'mydomain.local'. If I want internal users to access resources by a public domain name, say 'mydomain.com' I then simply add a new forward lookup zone in Windows DNS and add host records pointing to LAN IP addresses on the network. This keeps a separation of public and private domain resources (for internal users) and in 10+ years administering network infrastructures, have never had to host my own DNS server for external requests...

You should also place those publicly facing servers in a DMZ. There should be a firewall between them and your internal networks. You may think those servers are secure, but it's the breaches you don't know about yet that can hurt you the most, so add an extra layer of security by placing them in a DMZ.

So our main server which is a Mac OS X 10.4.11 (Bind 9.3.2) Hosts our mail, one of our two websites and used to handle all of our DNS. All our computers to include severs our on private IP's. The public servers on one dmz the private servers on another, also the users, phones and another special group of computers are all on their own seperate dmz all controlled by the firewall.

So, are you saying i should have one of my servers host private DNS for internal systems and like my web server host the public DNS for external systems?

I have read that you can use a view statement in the DNS to let the computer get DNS based on IP groups which can be pre determined, is this not a good practice? (I am not to sure the other systems are capable of handling the load or even have DNS abilities, The servers are a hogpog of computers two actually running server OS's and the others not one is a laptop... sad :-(...)

So i can have godaddyhost it???? Just set up what I want the IP addresses to point to? xx.xx.xx.xxx = mydomain.com and xx.xx.xx.xxy = secondweb.mydomain.com

And then host my internal on my main server and let it serve up dns to the internal network?

Here is a recent response I wrote to another member in setting up host records with GoDaddy's Total DNS...

GoDaddy Total DNS Control Panel

Yes, GoDaddy will host your public DNS. Unless you have the expertise, time and resources, allow your domain name registrar host your public DNS for your web sites, web mail and email MX records. Keep your LAN DNS server for LAN clients and resources...

so once i get godaddy hosting my DNS I can then have my server host dns for just my internal network, using my internal ip's to link to my domain names.

Yes.

Yup, that's how I do it. No publicly available servers anywhere on or near my private LAN. Once the hackers find a server on a new IP, they immediately go to work on it (averages just 12 minutes for them to find it). If you're dilegent, they never get in, but why take the risk?

Just backup your pulic resources frequently in case they do fall prey so you can recover quickly. At least if they hack your hosted server, it's not your LAN they can sniff for additional resources.

Rellying on a single firewall device to maintain seperation between segments is not wise. Such devices have been hacked in the past and will be in the future. In fact, the more complex the configuration you have on a firewall appliance, the more likely it is that you or the manufacturer have opened a hole inadvertently. Such configurations are ok to firewall the students from the staff and the staff from the adminstrative areas (where appropriate), but not sufficient for the edges of your network.

A true DMZ is a segment between firewalls. I prefer to use different brands for inner and outer firewalls (so the same hack that gets them a foot-hold doesn't get them the rest of my network). In cases where I have to have VPN's, I have a VPN capable router with it's own IP seperate from the router that carries all the other traffic in and out of "the cloud".