Best Practices for Choosing Private Network TLDs in Internal DNS Configurations


2 views

When setting up internal networks, many sysadmins face the dilemma of choosing appropriate top-level domains (TLDs) for their private DNS infrastructure. The challenge intensifies when multiple network segments (like .lan for physical networks and .vm for virtual environments) need to coexist without naming conflicts.

The IETF's RFC 6761 officially reserves several TLDs for special purposes:

.test - For testing purposes
.local - For multicast DNS (mDNS)
.example - Documentation and examples
.invalid - Obviously invalid domains
.localhost - Loopback addresses

However, many organizations have historically used .internal, .private, or .corp for their networks despite these not being officially reserved.

For your specific case where .lan and .vm are already taken, consider these alternatives:

  • .intra - Short for "intranet"
  • .infra - For infrastructure components
  • .priv - Explicitly private
  • .prod - For production environments
  • .cluster - For VM clusters

Here's how you might configure BIND for a .infra domain:

zone "infra" {
    type master;
    file "/etc/bind/db.infra";
    allow-query { 192.168.0.0/16; };
    allow-transfer { none; };
};

For VMware environments that will be migrated to production:

# PowerCLI example for bulk DNS name updates
Get-VM | Where {$_.PowerState -eq "PoweredOn"} | 
ForEach-Object {
    $newName = $_.Name + ".prod"
    Set-VM -VM $_ -Name $newName -Confirm:$false
}

To prevent future naming collisions:

  1. Document all TLDs in use across environments
  2. Implement a hierarchical naming scheme (e.g., vm01.web.prod)
  3. Use DNS views to separate internal/external resolutions

A financial institution we worked with used this structure:

Development: dev.fin.internal
Testing: qa.fin.internal
Production: prod.fin.secure
DR Site: dr.prod.fin.secure

When setting up internal networks, choosing the right top-level domain (TLD) suffix is crucial to avoid conflicts with public DNS and existing internal conventions. Common choices like .lan, .local, or .vm may already be in use, as in your case where:

# Existing naming conventions
workstation1.lan       # LAN devices
db-server.vm           # Virtual machines

The IETF's RFC 6761 specifies these special-use TLDs:

  • .local (for multicast DNS)
  • .localhost
  • .example
  • .test
  • .invalid

For production internal networks, we recommend creating a subdomain of your public domain:

# Recommended approach
internal.example.com
vm.internal.example.com
prod.internal.example.com

If you must use a private TLD, consider these less common but valid choices:

# Sample internal DNS zone configuration
$ORIGIN corp.internal.
webserver1    IN A    192.168.1.10
database      IN A    192.168.1.20

$ORIGIN infra.private.
k8s-master    IN A    10.0.0.100

Here's a sample named.conf for an internal .private zone:

zone "private" {
    type master;
    file "/etc/bind/db.private";
    allow-query { 192.168.0.0/16; 10.0.0.0/8; };
};

And the corresponding zone file:

; db.private
$TTL 86400
@ IN SOA ns1.private. admin.private. (
    2023081501 ; serial
    3600       ; refresh
    1800       ; retry
    604800     ; expire
    86400      ; minimum TTL
)

@       IN NS    ns1.private.
ns1     IN A     192.168.1.1
www     IN A     192.168.1.100
api     IN A     192.168.1.101

When merging networks with different naming schemes:

  1. Create CNAME records during transition: 
    legacy-vm.vm IN CNAME new-vm.infra.private.
  2. Update DHCP configurations to push new search domains
  3. Gradually phase out old naming conventions

Always:

  • Restrict zone transfers
  • Implement DNSSEC for internal zones
  • Monitor for DNS leakage to public resolvers