Top level domain/domain suffix for private network?
At our office, we have a local area network with a purely internal DNS setup, on which clients all named as whatever.lan
. I also have a VMware environment, and on the virtual-machine-only network, I name the virtual machines whatever.vm
.
Currently, this network for the virtual machines isn't reachable from our local area network, but we're setting up a production network to migrate these virtual machines to, which will be reachable from the LAN. As a result, we're trying to settle on a convention for the domain suffix/TLD we apply to the guests on this new network we're setting up, but we can't come up with a good one, given that .vm
, .local
and .lan
all have existing connotations in our environment.
So, what's the best practice in this situation? Is there a list of TLDs or domain names somewhere that's safe to use for a purely internal network?
Since the previous answers to this question were written, there have been a couple of RFCs that alter the guidance somewhat. RFC 6761 discusses special-use domain names without providing specific guidance for private networks. RFC 6762 still recommends not using unregistered TLDs, but also acknowledges that there are cases where it will be done anyway. Since the commonly used .local conflicts with Multicast DNS (the main topic of the RFC), Appendix G. Private DNS Namespaces recommends the following TLDs:
- intranet
- internal
- private
- corp
- home
- lan
IANA appears to recognize both RFCs but does not (currently) incorporate the names listed in Appendix G.
In other words: you shouldn't do it. But when you decide to do it anyway, use one of the above names.
Do not use an invented TLD. If ICANN were to delegate it, you would be in big trouble. Same thing if you merge with another organization which happens to use the same dummy TLD. That's why globally unique domain names are preferred.
The standard, RFC 2606 reserves names for examples, documentation, testing, but nothing for general use, and for good reasons: today, it is so easy and cheap to get a real and unique domain name that there is no good reason to use a dummy one.
So, buy iamthebest.org
and use it to name your devices.
Use a subdomain of your company's registered domain for internal machines whose names you do not want available on the Internet. (Then, of course, only host those names on your internal DNS servers.) Here are some examples for the fictitious Example Corporation.
Internet-facing servers:
www.example.com
mail.example.com
dns1.example.com
Internal machines:
dc1.corp.example.com
dns1.corp.example.com
client1.corp.example.com
I used "corp" to signify that this subdomain described machines on the internal corporate network, but you could use anything you want here, such as "internal": client1.internal.example.com.
Remember, too, that DNS zones and subdomains do not have to align with your network numbering scheme. My company, for example, has 37 locations, each with its own subnet, but all locations use the same (internal) domain name. Conversely, you could have only one or a few subnets, but many peer internal domains or levels of subdomains to help you organize your machines.
There's another advantage of using an internal subdomain: cleverly using search suffixes and only hostnames instead of FQDN, you can build configuration files that work both in development, QA and production.
For example, you always use "database = dbserv1" in your configuration file.
On the development server, you set the search suffix to "dev.example.com" => database server used: dbserv1.dev.example.com
On the QA server, you set the search suffix to "qa.example.com" => database server used: dbserv1.qa.example.com
And on the production server, you set the search suffix to "example.com" => database server used: dbserv1.example.com
That way, you can use the same settings in every environment.
As always there are de jure and de facto standards.
While "nonprofit" ICANN plays in politics and money we, common people, suffer. IETF once introduced .home
(RFC 7788) for personal home intranets but they don't have power over only-for-pofit IANA players and reintroduced domain under .home.arpa
(RFC 8375) as IETF controls only .arpa
.
Appendix G of https://www.rfc-editor.org/rfc/rfc6762 mentions:
.intranet .internal .private .corp .home .lan
for use if you really want internal TLD.
Big players (Google, Amazon) use .internal
for virtual intranets:
-
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html - A private (internal) DNS hostname resolves to the private IPv4 address of the instance. The
private DNS hostname takes the form
ip-private-ipv4-address.ec2.internal
for theus-east-1
Region, andip-private-ipv4-address.region.compute.internal
for other Regions (where private-ipv4-address is the reverse lookup IP address). -
https://cloud.google.com/compute/docs/internal-dns
Zonal DNS
[INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal
for all organizations or standalone projects that have enabled the Compute Engine API after September 06, 2018.
Those companies can buy the Internet. So it is de facto safe to use .internal
TLD internally ))