Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

Should my company's internal domain be renamed?

My company's internal domain name is structured like this:


The company's website, which is hosted by a third party, is structured like this:


This generates a bunch of port 137 Netbios and 445 Microsoft DS traffic from the workstations to the third party website host (mail is also hosted externally). I don't see where performance is being harmed, but I block that traffic at the firewall for security reasons and because it is useless. I think if the mail and website were ever hosted internally, the current naming structure would make sense, but should the internal domain name be named something different as a best practice in our current scenario? I know it would stop the 137/445 traffic to the webhost anyway!

2 Solutions
Ernie BeekExpertCommented:
Personally I think it is always wise to keep the two separated. I've seen lots of scenario's were DNS issues (internal and external) occured because of this.
Wise thing to do (and safer) is to use something like company.local or company.lan. Where company.lan might be better if your site has *nix running, Some machines use .local for NFS domains.
Tony MassaCommented:
It's always best to have them split, but it isn't necessary (for INTERNAL clients) if you have the DNS set up correctly.  If it is, they should never be directed EXTERNALLY for anything but HOST and MXrecords, which should be also set on your internal DNS.

You need to make sure that you have the DNS zone for "COMPANY.COM" inside your DNS zone, and the internal records (HOST, MX, CNAME) etc configured for your internal clients, and that they are using the correct DNS servers (domain controllers).   This is referred to as split-brain DNS.  Internet clients will get MX and HOST records from external DNS, and internal clients will get all of the info from your AD DNS servers.  You should not have a stub zone or conditional forwarders internally since they're in the same namespace.

The problem will come when you have mobile clients outside of your network looking for the "COMPANY.com" name servers for AD information, and they're directed to the authoritative name servers out on the Internet instead of

Some of the traffic will just

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now