If we want to protect the DNS that has a public IP address from external intruders coming through the Wan port, where should the DNS be connected to? What should be done with the public IP address of the DNS or other servers connected?

- Put your DNS server on the LAN or DMZ. The LAN or DMZ should be assigned a private IP address and you forward only port 53 from public IP to private IP on your DNS server. This will only expose port 53 on the Internet and this should provide maximum protection for your DNS server.

- Put all your servers on private IP addresses and then open the ports needed to forward from public IP to private IP.