dns behind firewall and http server

That’s for the outside. You have to set up another zone for the inside, with the same domain names, but now the addresses are private addresses on the LAN.

i got it!
i will let u know if its working!

That’s just the beginning, I didn’t want to scare you. :wink:

Obviously since the two zones contradict each other, you have to set up a separate DNS server for the inside, which inside machines use. The outside world will use the public DNS server.

The inside DNS server is set to do recursive queries (for zones that it is not authoritative for). The outside server is set to NOT do recursive queries, or it would be a security hole. It will only answer for your company’s externally visible domain names.

An alternative to 2 DNS servers is to use the views feature of BIND9. In this feature, BIND9 serves up different zones depending on the address of who is asking. If you use this feature, it will save you having to run 2 servers, but you are trusting that there are no bugs in BIND9 that could allow a client on the outside view to influence results on the inside view.

Here’s a pretty good article on split horizon DNS:

FGA: Providing “split horizon” DNS service.

hmm… wait… do i need another box to set up another dns? or i need to create new zones with internal ip addresses?

Either another box, or a box running 2 DNS servers, each one binding to different interfaces. Or with BIND9, two views. Obviously the external zone and the internal zone are in conflict so they must be served to different clients, depending on what the address of the client is.