Thoughts on DNS / DDNS for self-hosting with dynamic IP?

We’re a small company, and we have 100/100 fiber at the site now. We have a bunch of low-traffic services that we’d like to run on-site, but the price of a static IP from the local telco is a fortune.

So I’m thinking of doing a hybrid setup:

$5/mo VPS with:

  1. Postfix that receives mail and holds it until fetched via POP3.
  2. Nginx that serves static web pages, but not media or anything database.
  3. Authoritative Name Server for our domain, that gets updated when the server at the office pings it.

On the local network:

  1. IMAP server that holds mail forever after fetching from the VPS with Fetchmail. Public access at for iPhones, laptop at a coffee shop etc.
  2. Web server that serves media to the public.
  3. Database / Web Application server that serves dynamic content to the public (PHP/MySQL).
  4. LDAP (LAN Access Only)
  5. NFS (LAN Access only)
  6. Asterisk/Phones. Public access at
  7. A local DNS Server? Authoritative?

So we need a couple things for DNS to work out with this:

  1. We need a DNS server that can run on the offsite VPS and get some of it’s IPs updated from a ping.

  2. We need a DNS server that runs on the LAN and returns internal addresses. ie. for

  3. The LAN DNS server should return different IPs for things that are both LAN and public. ie. when is queried from outside, return the public IP of the fiber modem, but when queried from on the LAN, return the local address.

So I’m trying to figure out:

  1. What software choices are best for this? (FOSS/Linux)
  2. What configuration makes sense. Try to mess with views on BIND for private/public? Sync with Master/Slave? Or is it less work to have two DNS servers that are unaware of each other, one on the LAN (for LAN IPs) and one public (for public)?

I have not all the things you need, but I run a local DNS server (unbound on the pfsense) and use an external DNS provider for access from the outside. I have a static IP, so this is easy, but, most DNS providers will support some form of DynDNS. So no need to reinvent the wheel there. Both of my DNS servers are authoritative on their “segments” of the network (inside/outside).