This makes me think of some AD best practices I read a long time ago. One of the practices was to never use made up local TLDs like .internal or .local because some day they might be real and get picked up by someone.
Essentially you should always use a domain you control both outside and inside, like a regular gTLD or ccTLD.
Pretty much every single company I've worked for with AD has broken this rule.
The following TLDs are fine and reserved:
RFC2606 (https://datatracker.ietf.org/doc/html/rfc2606)Test is best used in temporary setups that you use for testing things.
Example is best used in documentation only.
Invalid is weird and confusing.
Localhost as a TLD should still be on the machine itself. Keeping in mind that 127.0.0.1 is not the only loopback address at your disposal – you have the whole /8. You could bind different services on different loopback ip addresses and then assign host names in the .localhost tld to those.
So for example you could run different Wordpress instances locally on your machine on ips 127.87.80.2, 127.87.80.3, and 127.87.80.4, so that each can run on port 80 without colliding with one another, and without resorting to having non-80/non-443 ports.
Then have corresponding entries in /etc/hosts
127.87.80.2 dogblog.localhost
127.87.80.3 cooking.localhost
127.87.80.4 travel.localhost
And use those domains to access each of those from your browser. Then you don’t even need to keep all services behind the same Nginx instance for example, as you otherwise would do if you had different domain names but was using 127.0.0.1 and port 80 for all of them.
Whereas having the localhost tld refer to hosts elsewhere on a physical network.. that’s about equally as weird and confusing as “invalid”.
Tell that to Google Chrome developers, who are so arrogant they think they know better than the operating system, and force-resolve *.localhost. to 127.0.0.1
Looks like someone might have been trying to prepare the ground for a hijack of 127.0.0.0/8...
Then use a non-brain dead browser :)
‘The ".localhost" TLD has traditionally been statically defined in host DNS implementations as having an A record pointing to the loop back IP address and is reserved for such use. Any other use would conflict with widely deployed code which assumes this use.’
Reading that sentence implies a single loop back address. I appreciate that IPv6 “fixed” this confusion by having a single loop back address of ::1. While you are correct that IPv4 reserved the entire /8 in practice the expectation is generally that 127.0.0.1 is the loopback address, and using other addresses in the 127/8 space tends to lead to unexpected issues across many pieces of software. The intention of the .localhost domain is to ensure that DNS resolutions never resolves to something external, for security reasons.
See also, RFC 5735: “… This is ordinarily implemented using only 127.0.0.1/32 for loopback.” — https://datatracker.ietf.org/doc/html/rfc5735
Yes, but who would want .test, .example or .invalid as an internal domain? Also, they are too long (yes, that matters).
What I've seen lately is '.int' for internal usage. While this is a valid TLD, it is only for international organizations, and it is not possible for "normal" people to reserve a domain with that TLD, so unless your company is called "WHO" or similar, you shouldn't have any problems...
People thought .dev was safe until it wasn't. Bear in mind they can still do something like "enroll all of .int in HSTS preload" (like was done for .dev), and suddenly your browsers will permanently refuse to load any of your internal sites.
No one competent would ever have thought dev. was safe. It's quite simple: if you don't own the domain, or it hasn't been reserved (e.g., home.arpa.), don't use it!
.Corp exist and is reserved for private use.
The only one of those appropriate for accessing actual hosts would be .test, and obviously using .test for non-testing purposes would also not be appropriate.
.domain, .lan, .home, .host, and .Corp
Are all options as well.
They are reserved for Testing, & Documentation Examples.
You should not used them in production.
The ".local" domain specifically is a bad choice as many platforms use MDNS instead of DNS for looking up those names. Leading to issues resolving names on some client devices. It's also very common due to Microsoft suggesting it as best practise in the early days of AD.
Thank Apple for this half-baked bullsh*t.
How so?
Maybe because of this?
https://en.wikipedia.org/wiki/.local
Kinda weird to blame the people who made an RFC, instead of the industry leader who recommended using .local completely on their own, without support from the wider industry. This is explained in the next couple paragraphs, where you stopped copying.
You're right, the confusion about the use of .local domain seems to be more due to Microsoft going back-and-forth about it.
mDNS was announced after the Windows 2000 RTM date, so it would be unfair to blame Microsoft with regards to mDNS functionality.
Not that Microsoft should have made that recommendation, but hindsight and all that.
No. Fuck MS for encouraging their MVPs to use a reserved domain.
I'm wondering about one thing, now that I've read a few "may cause issues" and "is used for mDNS" replies: what the F is mDNS actually doing in the background?
Is it really going to assign "lancelot.roundtable.local" to my washing machine on a whim, which leaves the microwave unresolvable?
Can't I instruct the mDNS server running on my machine to respond to a particular name ending in .local?
Can't eg. dnsmasq insert itself into a conversation on 224.0.0.251 saying "Let me answer this question" for certain queries?
If you’ve set up x.local in your DNS for your dryer but your laptop uses mDNS, it’s possible that your lapatop’s mDNS will get a response from your microwave that it’s reachable at x.local. The solution (not an expert, please check this) is to set up the dryer in DNS as x.domain-thar-you-own or x.home.arpa
I'm a little fuzzy on this, but my understanding is that for mDNS to be reliable it is required that all .local hosts implement mDNS to allow for conflict resolution.
My work used .local which means mDNS and service discovery etc doesn't work. Very annoying. What are they teaching these network admins? Why don't they even know what a domain name is for?
Similar issue with modern devs that don’t know what a page of memory is.
Or don't even know the bandgap of the transistors the computer is running off.
Yeah, developers nowadays don’t know their Pauli exclusion principle.
or a database.
Thank Apple for designing the protocol the Apple way, that is being not interoperable with the world.
Yes, the classic not-interoperable approach of publishing the protocol as Standards Track RFCs with the IETF.
The timeline was IIRC
1. MS made recommendations to use .local
2. Apple networks started to use Bonjour and used .local, breaking on networks that used .local already
3. RFC was submitted
4. MS recommended against using .local or any domain you do not own fully
Microsoft's recommendation in the early 2000's was to use .local
Even if they know now, that doesn’t mean they knew when setting up the AD domain back in 2000.
We used .dev before google registered it so we migrated to another paid domain so we don't need to pay huge amount per year to google
To this day this story still blows my mind:
... to a provider that doesn't even offer all the same services.
FAFO, as they say.
I specifically use some .dev domains because of HSTS. Some of us don't cling to http and I prefer an error rather than transparent fallback to unsafe protocol if I screw up the config.
The first point is valid but that is mostly ICANN's fault, they should have proposed it as reserved instead of selling it.
oh. its worse. the original request for the TLD was only granted because in the application Google specifically mentioned that it should be reserved due to its unofficial use by developers and that if anyone else got it then they might put real domains on it.
You cant make it up.
Just my person experience, but I got my relatively uncommon name on .dev for $12/yr so I'm pretty happy with that. While the situation worked in my favor, I agree .dev probably should have been the official internal only TLD.
Yep. We use two domains - everything on A is "public" and everything on "B" is internal. The root of "B" is a static page on AWS that is gated behind our VPN so it serves as a quick "can you hit our infra at all" check when troubleshooting, and catches the people who are convinced they've enabled their VPN.
One thing to note here that we haven't solved (We've only got two "infra" people, we're a small company) is how you handle an internal portal to an external service. If our public domain is maccard.com and private is maccard.dev, where does internal-admin.maccard.com _actually_ live? Our solve for this is we have an internal.maccard.com for this very specific use case, but I'd much rather it was admin.live.maccard.dev
We just use the same domain internally and externally with split DNS. Works fine.
We have enough issues with DNS that adding split DNS into the mix is a ball ache I don't want to contend with.
We actually have the DNS for our private domain set publicly, and all the actual work happens on a load balancer which is on the network. We're fully remote so this avoids the "my communal WiFi provider seems to have issues with the VPN" (which is what we had when we used split DNS)
I buried split DNS (and (for the most part) private CAs for that matter) with ACME DNS-01.
https://en.wikipedia.org/wiki/2021_Facebook_outage
made me think this wasnt such a great idea. particularly the part about facebook employees not being able to use their keycards to enter the buildings at the same time as the site outage.
Until it doesn't.
And having a website on the domain.tld adds shenanigans.
One of many examples I had is when Outlook loses connection to Exchange (eg S2S VPN is down) it starts autodiscovery process, hits domain.tld (because users have email@domain.tld, duh) and complains to user with a scary messages (which are also blocks the process until the users hit something). Which is totally understandable, because the website is on some public hosting, so CN in the cert is from the public host at best and != domain.tld.
Using corp.domain.tld or even techdomain.tld solves this totally and also let you use public certs (LE in the current era) even on the 'local' side of the network.
Aside from all technical issues the biggest problem I have seen with such an approach is that is really hard for employees to remember what is external and what internal that way. Distinct domains help there
We use split DNS and the admins can't even do it right, they keep fucking it up and configuring one DNS view but not the other, so when I'm on VPN I randomly can't use certain domain names.
Also as another commenter mentioned, it is impossible to tell based on the name if it is an internal or external resource
I'm curious what split DNS offers that a separate internal zone wouldn't.
Devil's advocate: using an Internet-public domain for internal purposes will publicly expose your internal hostnames if you enable DNSSEC on the Internet-public domain. This is a problem if you're required to enable DNSSEC, e.g. for FedRAMP compliance.
The number of cases where this is actually a legitimate concern, IMO, is extremely small, and I'm personally of the opinion that using Internet-public domains for internal purposes is generally fine. But it's still important to point out that the number of cases is not zero.
Zone content enumeration in DNSsec was fixed by NSEC3 records (RFC5155, March 2008)
No it wasn't! NSEC3 is crackable the same way a 1990s Unix password file is. This was such a big problem that two competing approaches were introduced to defeat it: "whitelies", which I perceive as the "best practices standard" answer, requires servers to operate as online signers (they should have been all along) so they can generate dynamic chaff records to foil enumeration, and NSEC5.
Hmm. Interesting. I wasn't aware of that, thanks! … also, https://github.com/CyberCX-STA/NSEC-3-Walker …
Every security auditor in ever regs regime will flag zone transfers.
You can use a public domain but a local/private DNS server
I believe the advice about using a TLD you control outside and inside is mostly to prevent takeover on the outside that could affect the inside.
But you can still have completely separate DNS for the inside. Using a shared DB for both would probably be recommended to avoid conflicts.
.local actually exists. It is used for mDNS.
TIL, woops!
I use this for all my internal domains, haha. I guess this is why we need a proper tld like this.
The following TLDs are fine and reserved:
RFC2606 (https://datatracker.ietf.org/doc/html/rfc2606)Not really: https://news.ycombinator.com/item?id=39154082
You could consider making them real mDNS domains then, and using mDNS to resolve them to your desired IPs.
This happened with the .dev situation. I switched to .d ever since. I’ve read somewhere that new TLDs are required to be at least 2 letters so I guess I’m safe this way.
You can use .lan, . domain, .home, .host or .Corp as they are all reserved TLDs
.d is easier to type.
they aren't reserved that I can see? https://www.iana.org/assignments/special-use-domain-names/sp...
Where did you see that? would be interesting to have reference for a couple people
I worked for Merrill Lynch around 2000 and they used other people’s public IP addresses on their (theoretically) internal network.
Naturally, this went terribly as soon any of their sites had their own connection to the internet.
Why not use the designated private IP ranges? There are more than enough addresses there, unless it's some crazy application with millions of instances each needing an IP. But then use IPv6?
I had a very large client that was squatting someone else's address space in the pre-WWW days. When I pointed out the problem this would eventually cause and that RFC1918 was the (then) answer, the CTO said "no one here needs to get to the University of Tokyo". I was long gone by the time the SHTF.
I had another much smaller client who's leadership insisted that because they were using it the owners would have to just have to not use it. Some sort of imagined IP squatters rights, I guess. I doubt the DoD accommodated them.
I’ve been told that this is still a problem at large organizations in that industry.
I joke that I would use .icannsux because there is just no way they would assign it.
`.sucks` is a real TLD though, so you can register `icann.sucks` today!
https://www.hover.com/domains/results?utf8=%E2%9C%93&q=icann... alleges it is $219,999.99 and renews at $2599.99/yr due to "This is a tiered price domain."
Also, yeah, they almost had me with those .99 figures :-/
Hah that's a funny idea that you'd be relatively safer if you used something outrageous like godsavethequeen or crappymcfartlegs. But you never know what promotional TLDs are created in the future. Or how free the process might become, as remembering names becomes less and less important to a majority of internet users.
I saw a successful attack on a .dev domain doing exactly this. Links on PCs worked correctly, but phones showed a scam site, so emailed links were attacked.
It was hard to fix because they couldn’t get the spoofed domain, and there were so many copies of bad links everywhere.
Another fun fact about .dev which I recently found out while working on a side project:
You NEED to use https when visiting any .dev domain. Google has put it on the HSTS preload list.
It took me a while to find out why my browser kept redirecting me to https when I wanted to use http (local development). Curl worked fine…
Just for the record, anybody can add their own domain to HSTS via the submission site[1].
[1] https://hstspreload.org/
Pretty much the first I do on any fresh server is to disable http, no matter what it is used for.
IMHO http has no use in the modern world.
I understand that .home.arpa is the standard TLD for home networks as per RFC-8375
https://www.rfc-editor.org/rfc/rfc8375
I tried to use that on my Turris Omnia and it broke a lot of things. I ended up using .lan
What broke?
I never heard of home.arpa so I'm also curious what broke.
The only thing I can imagine would be if you accidentally created a root for .arpa.
The last time I set up DNS at home, I decided to use a fictitious and undelegated subdomain under my ISP's domain name. This structure did not create any "extra" problems in the short term.
But I suppose that I still ran the risk that the subdomain could "become real", or draw attention from security admins, or I would change ISPs.
How? I’m not saying this is great practice — there are certainly better options — but no one outside your network will ever know about it. It also won’t matter if you switch ISPs.
It's not a problem (well, most of the time), but you would see the requests for 'internal' resources in DNS (ie your machine is not on your network but tries to resolve the internal DNS records) and in certificate checks even for non-public PKIs
I've sold IT stuff to a city that had some expensive consultants configure their ActiveDirectory as <name_of_city>.ad, as in the ccTLD of Andorra.
The .local bullshit gate so much headache. When I was working on Ubuntu based POS systems we had to make sure avahi or any kind of mDNS wouldn’t be installed. It became a running joke “we got another MS MVP here” every time we had issues with a client with a .local domain.
It's a lot better now. Ever since companies started moving from on-prem Exchange to O365 in droves I've noticed that most orgs I work with (painfully) updated their domain so their user principals align w/ their O365 mailbox.
There's only one customer I have that still uses a ".local" domain for AD, and they got bought out last year. (By an org that uses a real FQDN.)
My friends and I own the domain name “dev.host” and you wouldn’t believe the traffic we get.
We had a bunch of .dev urls break thanks to google and our lack of foresight.