We are in need of redoing our External DNS servers and we're also in the process of moving to a new AD forest internally. Originally our internal domain was company.com and we're working towards company.internal to fall in with best practice. We're already
going to have multiple subdomains of company.internal and considered the idea of public.company.internal to isolate the external DNS servers and also give us a separate domain for credentialing our customers that need access to public facing systems. The zones
then supported on these external DNS servers would be AD integrated however because they are part of the forest I can then do lookups from externally and resolve what should be internal only zones such as company.internal, sub.company.internal, etc. Not that
it's necessarily relevant to question but the publicly accessible servers would be RODC. We have auditing tools in place for this forest which is also part of the desire to keep them linked.
I've not found an elegant solution to restrict those lookups. Is that a possibility or do I need to structure this entirely different to avoid that?