1) costly but probably the most secure option, shitty administration
2) Can be done, but 3) is better
3) Add a dedicated services VLAN for stuff like this (and DNS/file), most common solution, simple administration
DNS does not need a Server on your Vlan/subnet or even on site, you can directly communicate with public DNS servers if you want
put it in the services net and configure ACLs for it, number of interfaces is up to you
let there be user accounts and permissions, seperate security stuff for security reasons
DNS works tree based, so your local domain is abc.local, then subdomain can be sec.abc.local.......
can be done but not nessecary in smaller networks, ACLs do the trick, just use files.abc.local and then User-Account and Perms