In general this is called "split DNS". You create a system where the DNS records seen outside the company are different than the DNS records seen inside the company. In particular, outsiders see www.example.com and other externally-visible hosts. Inside the company all machines have DNS records... these records are not seen outside.
- Pick an internal domain.
Typically machines inside the company are on a subdomain of the company's domain. For example if your company is example.com, all machines inside are MACHINENAME.corp.example.com. The problem with this is that you can never use "corp.example.com" as an external DNS name.
Warning: I once saw a company use "inside" instead of "corp". When marketing wanted to make an external website called "inside.example.com" (an "insider's guide" to using their product) it became a political nightmare.
Warning: I highly recommend an additional level of hierarchy. MACHINENAME.LOCATION.corp.example.com. "location" can be "hq" for the headquarters, "nyc" for the NYC sales office, etc. Most organizations use 3-letter codes, often the nearest airport code.
When i was at one company we had every machine be "MACHINENAME.corp.example.com" in the headquarters because we didn't think we'd ever have local offices. When we opened large offices elsewhere, they were "MACHINENAME.SITE.corp.example.com". Every tool we wrote had to "special case" the fact that HQ was different. Eventually we had to change HQ to be just like all the other sites. It was a painful transition. Yet, I see companies make this mistake over and over again. Therefore, even if you have no plans for growth beyond one building, I still recommend MACHINENAME.LOCATION.corp.example.com.
- Configure "split DNS" or DNS "views" on your DNS servers.
BIND and other DNS systems can be configured to provide different answers based on the source of the DNS request, or the interface that the DNS request came on.
For example, if you have a DNS server with 1 NIC inside the company and 1 NIC outside the company:
Inside NIC:
- LOCATION.corp.example.com (for each location)
- corp.example.com
- example.com.
- All other domains use the DNS "forwarders"
Outside NIC:
- example.com (SAME zonefile as the inside nic uses)
- Any "recursive" or forwarding disabled.
You can also have 2 different machines, each with a different configuration.
SOFTWARE:
Note: I don't think dnsmasq can do split DNS. BIND can, as can most other "enterprise" products. Look for "views" or "Split DNS" in the manual.