Currently we have a following setup. We have two domain controllers which also serve as DNS servers, used as resolvers by local clients. We also have external autoritative DNS servers for exact same DNS zone, just for servicing outside world. This leads to a situation when the same record has to be entered twice on both server groups.
One obvious resolution is to use only internal servers and eliminate external server group. We use NAT and all internal servers have address from private ranges, eg. 192.168.1.0 Requests from outside world are forwarded to whatever machine is needed.
The question is how to avoid leaking internal addresses (that will resolve to 192.168...) if internal DNS servers start serving external requests?