Top level domain/domain suffix for private network?

domain-name-system best-practices hostname local-area-network

At our office, we have a local area network with a purely internal DNS setup, on which clients all named as whatever.lan. I also have a VMware environment, and on the virtual-machine-only network, I name the virtual machines whatever.vm.

Currently, this network for the virtual machines isn't reachable from our local area network, but we're setting up a production network to migrate these virtual machines to, which will be reachable from the LAN. As a result, we're trying to settle on a convention for the domain suffix/TLD we apply to the guests on this new network we're setting up, but we can't come up with a good one, given that .vm, .local and .lan all have existing connotations in our environment.

So, what's the best practice in this situation? Is there a list of TLDs or domain names somewhere that's safe to use for a purely internal network?


Since the previous answers to this question were written, there have been a couple of RFCs that alter the guidance somewhat. RFC 6761 discusses special-use domain names without providing specific guidance for private networks. RFC 6762 still recommends not using unregistered TLDs, but also acknowledges that there are cases where it will be done anyway. Since the commonly used .local conflicts with Multicast DNS (the main topic of the RFC), Appendix G. Private DNS Namespaces recommends the following TLDs:

  • intranet
  • internal
  • private
  • corp
  • home
  • lan

IANA appears to recognize both RFCs but does not (currently) incorporate the names listed in Appendix G.

In other words: you shouldn't do it. But when you decide to do it anyway, use one of the above names.


Do not use an invented TLD. If ICANN were to delegate it, you would be in big trouble. Same thing if you merge with another organization which happens to use the same dummy TLD. That's why globally unique domain names are preferred.

The standard, RFC 2606 reserves names for examples, documentation, testing, but nothing for general use, and for good reasons: today, it is so easy and cheap to get a real and unique domain name that there is no good reason to use a dummy one.

So, buy iamthebest.org and use it to name your devices.


Use a subdomain of your company's registered domain for internal machines whose names you do not want available on the Internet. (Then, of course, only host those names on your internal DNS servers.) Here are some examples for the fictitious Example Corporation.

Internet-facing servers:
www.example.com
mail.example.com
dns1.example.com

Internal machines:
dc1.corp.example.com
dns1.corp.example.com
client1.corp.example.com

I used "corp" to signify that this subdomain described machines on the internal corporate network, but you could use anything you want here, such as "internal": client1.internal.example.com.

Remember, too, that DNS zones and subdomains do not have to align with your network numbering scheme. My company, for example, has 37 locations, each with its own subnet, but all locations use the same (internal) domain name. Conversely, you could have only one or a few subnets, but many peer internal domains or levels of subdomains to help you organize your machines.


There's another advantage of using an internal subdomain: cleverly using search suffixes and only hostnames instead of FQDN, you can build configuration files that work both in development, QA and production.

For example, you always use "database = dbserv1" in your configuration file.

On the development server, you set the search suffix to "dev.example.com" => database server used: dbserv1.dev.example.com

On the QA server, you set the search suffix to "qa.example.com" => database server used: dbserv1.qa.example.com

And on the production server, you set the search suffix to "example.com" => database server used: dbserv1.example.com

That way, you can use the same settings in every environment.


As always there are de jure and de facto standards.

While "nonprofit" ICANN plays in politics and money we, common people, suffer. IETF once introduced .home (RFC 7788) for personal home intranets but they don't have power over only-for-pofit IANA players and reintroduced domain under .home.arpa (RFC 8375) as IETF controls only .arpa.

Appendix G of https://www.rfc-editor.org/rfc/rfc6762 mentions:

.intranet .internal .private .corp .home .lan

for use if you really want internal TLD.

Big players (Google, Amazon) use .internal for virtual intranets:

  • https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html - A private (internal) DNS hostname resolves to the private IPv4 address of the instance. The private DNS hostname takes the form ip-private-ipv4-address.ec2.internal for the us-east-1 Region, and ip-private-ipv4-address.region.compute.internal for other Regions (where private-ipv4-address is the reverse lookup IP address).
  • https://cloud.google.com/compute/docs/internal-dns Zonal DNS [INSTANCE_NAME].[ZONE].c.[PROJECT_ID].internal for all organizations or standalone projects that have enabled the Compute Engine API after September 06, 2018.

Those companies can buy the Internet. So it is de facto safe to use .internal TLD internally ))

Related

How can I port forward with iptables?
How do I tell if my Windows server is swapping?
Linux - real-world hardware RAID controller tuning (scsi and cciss)
Can I have multiple DHCP servers on one network?
rm on a directory with millions of files
Why is DNS failover not recommended?
fatal: bad ownership or modes for chroot directory component "/" in SFTP
What is "anycast" and how is it helpful?
How to do the port forwarding from one ip to another ip in same network?
How does IPv6 subnetting work and how does it differ from IPv4 subnetting?
LVM dangers and caveats
How can I forward requests from my web server?