DNS is a distributed database that translates between host names and IP addresses. It also carries other information about hosts, such as mail exchanger (MX) records that specify what hosts will accept mail for a domain. When a client needs to find out information about another host, such as the IP address for mail.acme.net, it queries its local DNS server for that information. The local DNS server responds if it has the information. If it does not have the information it queries other DNS servers until it either finds the information or runs out of places to check. This forwarding of the query is transparent to the client, which connects only to the local DNS server.
If your system accepts mail directly from other hosts on the Internet, it should be listed in the DNS. A DNS MX record is created that routes all mail to your host that processes incoming mail for your domain. Unless you plan to forward all outbound Internet mail to a relay host (a host outside your organization that has better e-mail connectivity), your server must be able to query DNS to deliver messages. You can configure your Microsoft Exchange Server computer to use DNS services from your Internet service provider (ISP), or you can use your own DNS servers. If you maintain your own DNS servers, they must be registered with your parent domain.
If you are using DNS and do not want DNS queries from the Internet to return information about computers on your internal network, configure DNS so that external hosts can query for information about your Internet servers but not about other hosts. To do this, you must set up a pair of DNS ¾ an external DNS server which you register with your parent domain and configure with address and MX records for your bastion hosts, and an internal DNS server that is used by clients on your network. Configure the internal DNS server to forward queries it cannot resolve to the external DNS server so that clients in your network can resolve Internet host names. Your bastion host also should use the internal server for DNS to resolve both internal and external names. Because the external DNS server does not have complete information for your internal network, and because access to your internal DNS server is not available from the Internet, you can hide most of your computers from external DNS queries by not creating records for them on the external DNS server.