Should my company's internal domain be renamed?

Posted on 2011-04-19
Last Modified: 2012-05-11
My company's internal domain name is structured like this:

The company's website, which is hosted by a third party, is structured like this:

This generates a bunch of port 137 Netbios and 445 Microsoft DS traffic from the workstations to the third party website host (mail is also hosted externally). I don't see where performance is being harmed, but I block that traffic at the firewall for security reasons and because it is useless. I think if the mail and website were ever hosted internally, the current naming structure would make sense, but should the internal domain name be named something different as a best practice in our current scenario? I know it would stop the 137/445 traffic to the webhost anyway!

Question by:dshaney
    LVL 35

    Assisted Solution

    by:Ernie Beek
    Personally I think it is always wise to keep the two separated. I've seen lots of scenario's were DNS issues (internal and external) occured because of this.
    Wise thing to do (and safer) is to use something like company.local or company.lan. Where company.lan might be better if your site has *nix running, Some machines use .local for NFS domains.
    LVL 17

    Accepted Solution

    It's always best to have them split, but it isn't necessary (for INTERNAL clients) if you have the DNS set up correctly.  If it is, they should never be directed EXTERNALLY for anything but HOST and MXrecords, which should be also set on your internal DNS.

    You need to make sure that you have the DNS zone for "COMPANY.COM" inside your DNS zone, and the internal records (HOST, MX, CNAME) etc configured for your internal clients, and that they are using the correct DNS servers (domain controllers).   This is referred to as split-brain DNS.  Internet clients will get MX and HOST records from external DNS, and internal clients will get all of the info from your AD DNS servers.  You should not have a stub zone or conditional forwarders internally since they're in the same namespace.

    The problem will come when you have mobile clients outside of your network looking for the "" name servers for AD information, and they're directed to the authoritative name servers out on the Internet instead of

    Some of the traffic will just

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now