Private address space top level domain (.local or .net)

Discussion in 'DNS Server' started by Steve Buckley, Aug 12, 2009.

  1. When I first set up Active Directory in 2000 I quickly came to the
    conculsion it was better to use a non-existant TLD (like .local)
    Later in the 2003 literature it seemed Microsoft were following suit.
    I've been working through the Server 2008 Training Kit and am noticing that
    MS now seem to recommend using using .net .org etc... for private DNS
    schemes.
    Is there any reason for this; you don't really want anyone to be able to
    resolve these names from "The Internet"...or do you?
    Can anyone shed any light on this?
     
    Steve Buckley, Aug 12, 2009
    #1
    1. Advertisements

  2. Hello Steve,

    In the private range basically you can choose what you like. .local has problems
    when MAC OS machines are in the domain. So i think that's one of the reasons
    they changed. If you have a web site name like company.org i suggest to another
    TLD in the private network like .loc, so you have no problems with split
    DNS configuration when both names are the same.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Aug 12, 2009
    #2
    1. Advertisements

  3. Steve Buckley

    Chris Dent Guest

    The current suggestions are documented here:

    http://support.microsoft.com/kb/909264

    It tends to focus more on a private sub-domain of a public domain rather
    than something like .local. An example of that would be corp.domain.com.

    Even if you use a public name for AD there's no reason that the names
    within that zone should be available on the Internet. For that to happen
    you would have to expose your internal DNS servers to the public (and
    register them as the DNS servers for the public domain).

    Using a sub-domain of the public domain side-steps any disadvantages
    associated with using a public domain name (split brain, inability to
    reclaim "http://domain.com" from AD, etc).

    So why not .local? We can only guess. Perhaps there are concerns about
    compatibility. Or perhaps they worry that suggesting everyone use a TLD
    that isn't reserved in any way is a bad plan in the longer term, even if
    it's very unlikely that anything will happen with .local.

    Whatever you do, you should avoid the TLD names here:

    http://www.iana.org/domains/root/db/

    Especially anything like .int. That one is always fun if you ever need
    to get a certificate for the domain (unless you really do actually work
    for an organisation like the UN).

    Chris
     
    Chris Dent, Aug 12, 2009
    #3

  4. I'm leaning towards, and have been using the .net version of a company name,
    if available for purchase, for internal names. I mean you can still go with
    a .local, or a subdomain of the company name, if you like, but from
    experience with one company a couple of years ago with an Exchange 2007
    implementation and purchasing a cert, has made me re-think to use the .net
    version.

    Reason is the Exchange 2007 cert type required should be a UCC/SAN cert.
    They contain multiple names,including the internal FQDN and the NetBIOS name
    of the machine:

    mail.domain.com
    autodiscover.domain.com
    servername.internaldomain.com
    servername

    I know some folks will say or even respond to this post that these names are
    not needed and can get away with a single name cert, but a single name
    doesn't cover's Outlook Anywhere connection methods.

    When purchasing the cert, the registered name of the domain names in
    question are all checked. So if you have a public name of American Ball
    Club, and the external name is ameriball.com (or whatever), but at one point
    you've decided to use abc.net for the internal, well that name will be
    checked. In this case, if abc.net (unknowingly) belongs to someone else, it
    will get denied.

    If it is a .local name, it won't be checked, and will be approved, since it
    doesn't exist.

    Don't get me wrong, you can call it any internal name you want, but just for
    consistency sake, many are starting to lean towards the .net version of the
    name, as long as it's not registered, and if it isn't, make sure you
    register it.

    I like those articles Chris posted, too. They're good to know for DNS name
    limitations and other recommendations, including for this type of thing. I
    have a blog I'm putting together regarding AD naming conventions, including
    pros, cons, Exchange 2007 UCC/SAN consideration, etc, but I haven't quite
    completed and proofed it yet. It pretty much includes what I discussed here.
    I'll let you know if I complete it any time soon.


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum to benefit from collaboration
    among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MCT], Aug 12, 2009
    #4
  5. Yes, certificates are something that maybe propelling this, especially with
    the move towards IPv6.
    With the use of a valid Internet domain name I guess you keep your options
    open for the possibility that going forward all networks will be
    homogenously connected with one big IPv6 Internet.
    IPv6 IP addresses can roam and will use the same certificate when connected
    to any network (just the network address changes and the home router
    redirects connections to the current host network.)
    This also allows you to authenticate and connect directly to your LAN from
    anywhere as long as the firewall rules permit (no VPN required.)
    Guess I'd better start using .biz addresses internally now.
     
    Steve Buckley, Aug 12, 2009
    #5
  6. Good point about certificate portability.

    The .biz namespace seems to be a good alternative, too!

    Ace
     
    Ace Fekay [MCT], Aug 12, 2009
    #6
  7. Steve Buckley

    Kerry Brown Guest

    Great thread.

    Another problem that will be coming up is ICANN is looking at allowing many
    new gTLDs. Some being considered are .green .horse .eco .nyc .quebec and
    thousands more. Combine this with IDN's, also upcoming, and it's all too
    likely that sometime in the future whatever non-standard TLD you pick may
    suddenly be public. It's unlikely .local or .internal would ever be approved
    as a gTLD but who knows what the future holds. I think using a subdomain of
    an existing public domain or a buying a gTLD name like .net is the best
    practice for now.
     
    Kerry Brown, Aug 12, 2009
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.