DNS setup for a one-machine DMZ

[John Lacey]

I probably just stew about such things too much, but I am having
trouble deciding how to configure a one-machine DMZ. That machine
will run pretty much all the usual suspects: www, ftp, mail
gateway, primary external DNS. That leads to up to five names for
the one machine: www, ftp, mail, ns, and vizdom.com.

I'm planning on splitting the DNS between the internal and
external network. The DMZ machine's names will be the only things
in the external DNS.

1. The www, ftp, and vizdom.com names are justified by being
well-known names that people use and remember. Having ns gives me
something reasonably stable to register with InterNIC. Is there a
good reason, or indeed any reason, to have a separate name for
the mail gateway, or should I just point the MX record at one of
the other names?

2. Presumably ns goes in the SOA record?

3. Which name should the PTR record point at?

4. Should I use A or CNAME for the aliases? (I know I need to
have A records for the SOA and MX hosts, but what about www, ftp,
and particularly vizdom.com?)

5. Is there anything special about listing the domain itself
(vizdom.com) in the DNS? Some sites do this, and others don't.
I'm doing it for the reason I suppose most people do these days,
so that people can get to our web site if they leave off the www.

6. I don't have the actual machine name listed anywhere in the
external DNS. Are there any problems with this?

7. I have seen split DNS configurations where the firewall host
runs a secondary DNS but I'm just using a router between the
internal and external networks. I can't think of a way to
configure the DNS so that the DMZ machine can see both the
internal and external DNS. I'm not sure it needs to see the
internal DNS at all, however. The only reason I can think of is
for the mail gateway, which I should be able to configure using
IP addresses.

Any tips or opinions are much appreciated.

John L