I setup our dns servers inside a dmz in May of 2004. These are authoritative for our zones. During this time I have experienced no problems what so ever with NAT or the ACLs. I use ssh to manage the dns servers from my desktop, as the servers are headless. We have some servers in the internal network that use the authoritative dns servers as their primary and secondary dns servers. I have added 2 more dmz's over the past year. The servers or hosts in these dmz's use a non-authoritative slave dns server as their primary, and the secondary is the authoritative slave dns server in the first dmz. This was done to minimize the traffic to the main dns servers, whose main purpose is to answer queries about hosts within our zones.
You can setup static translations and an ACL for the internal hosts to access the dns servers as well. This would be done similar to the way expained in the other post.
Just be sure to only allow zone transfers to specific hosts (slaves), otherwise you may be in for a rude awakening.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...